CML1 and CML2 netfilter configuration

William Stearns wstearns@pobox.com
Wed, 5 Jul 2000 00:27:44 -0400 (EDT) 

Good day, all,
	I had a question about the way the menu choices were set in both
the existing kernel configuration language and in Eric's new CML2.

if [ "$CONFIG_IP_NF_CONNTRACK" != "y" ]; then
  if [ "$CONFIG_IP_NF_IPTABLES" != "y" ]; then
    tristate 'ipchains (2.2-style) support' CONFIG_IP_NF_COMPAT_IPCHAINS
    if [ "$CONFIG_IP_NF_COMPAT_IPCHAINS" != "n" ]; then
      define_bool CONFIG_IP_NF_NAT_NEEDED y
    fi
    if [ "$CONFIG_IP_NF_COMPAT_IPCHAINS" != "y" ]; then
      tristate 'ipfwadm (2.0-style) support' CONFIG_IP_NF_COMPAT_IPFWADM
      if [ "$CONFIG_IP_NF_COMPAT_IPFWADM" != "n" ]; then
        define_bool CONFIG_IP_NF_NAT_NEEDED y
      fi
    fi
  fi
fi

	If I'm reading this correctly, it looks as if the choice for
ipfwadm only shows up if ipchains is not built in.  I suppose this is an
unfortunate side effect of the old "conntrack, ipchains, and ipfwadm don't
play nice together when doing dependencies" problem.
	It looks like one could build them all as modules, but as soon as
conntrack is embedded into the kernel, ipchains and ipfwadm disappear, and
as soon as ipchains is embedded, ipfwadm disappears.  Am I reading that
correctly?

	Now for CML2:

menu ipv4_netfilter # IP netfilter configuration
    IP_NF_CONNTRACK? {IP_NF_FTP?} IP_NF_QUEUE?
    IP_NF_IPTABLES? {
        IP_NF_MATCH_LIMIT? IP_NF_MATCH_MAC? IP_NF_MATCH_MARK?
        IP_NF_MATCH_MULTIPORT? IP_NF_MATCH_TOS? IP_NF_MATCH_STATE?
        IP_NF_MATCH_UNCLEAN? IP_NF_MATCH_OWNER?
        IP_NF_FILTER? {IP_NF_TARGET_REJECT? IP_NF_TARGET_MIRROR?}
        IP_NF_NAT? {IP_NF_TARGET_MASQUERADE? IP_NF_TARGET_REDIRECT?}
        IP_NF_MANGLE? {IP_NF_TARGET_TOS? IP_NF_TARGET_MARK?
        IP_NF_TARGET_LOG?}
    }
    IP_NF_COMPAT_IPCHAINS? {IP_NF_COMPAT_IPFWADM?}

	From this last line, it looks like ipfwadm only shows up if
ipchains=m or =y.  I'm not sure that's correct; wouldn't it be legal to
have ipfwadm=m or =y even if ipchains=n ?
	Cheers,
	- Bill

---------------------------------------------------------------------------
	Like the ad says, at 300 dpi you can tell she's wearing a
swimsuit. At 600 dpi you can tell it's wet. At 1200 dpi you can tell it's
painted on. I suppose at 2400 dpi you can tell if the paint is giving her
a rash. (So says Joshua R. Poulson) 
(Courtesy of Bob Taylor <brtaylor@qtpi.lakewood.ca.us>)
--------------------------------------------------------------------------
William Stearns (wstearns@pobox.com).  Mason, Buildkernel, named2hosts, 
and ipfwadm2ipchains are at:                http://www.pobox.com/~wstearns
LinuxMonth; articles for Linux Enthusiasts! http://www.linuxmonth.com
--------------------------------------------------------------------------