2.6.20 iptables nat Problem?

Is anyone aware of the change that causes this problem ... I'm
researching but I thought I'd ask in case its a common "issue".

I just compiled the new 2.6.20 kernel, doing an oldconfig with my old
2.6.19 settings.

On reboot the NAT module isn't available and all my iptables commands
fail and my intranet isn't working.

Any one have a similar experience? Any solutions?

Thanks in advance.
--
------------------------------------------------
http://www3.sympatico.ca/dmitton
SPAM Reduction: Remove "x." from my domain.
------------------------------------------------

--
Posted via a free Usenet account from http://www.teranews.com

On Sun, 04 Feb 2007 23:13:26 -0500, Doug Mitton <(E-Mail Removed)> wrote:

>
>Is anyone aware of the change that causes this problem ... I'm
>researching but I thought I'd ask in case its a common "issue".
>
>I just compiled the new 2.6.20 kernel, doing an oldconfig with my old
>2.6.19 settings.
>
>On reboot the NAT module isn't available and all my iptables commands
>fail and my intranet isn't working.
>
>Any one have a similar experience? Any solutions?

Pay attention to the netfilter settings, I think there were some
gratuitous option name changes.

Grant.
--
http://bugsplatter.mine.nu/

Grant <g_r_a_n_t_@dodo.com.au> wrote:

>On Sun, 04 Feb 2007 23:13:26 -0500, Doug Mitton <(E-Mail Removed)> wrote:
>
>>Is anyone aware of the change that causes this problem ... I'm
>>researching but I thought I'd ask in case its a common "issue".
>>
>>I just compiled the new 2.6.20 kernel, doing an oldconfig with my old
>>2.6.19 settings.
>>
>>On reboot the NAT module isn't available and all my iptables commands
>>fail and my intranet isn't working.
>>
>>Any one have a similar experience? Any solutions?
>
>Pay attention to the netfilter settings, I think there were some
>gratuitous option name changes.
>
>Grant.

What a strange change to be making ... I think I've found all the
hidden options, at least my .config looks like the recommended from
the UseNet posts I can find.

I'm just recompiling now, I'll see how it goes.

Thanks for the pointer. It took many attempts to get the correct
search stanza for a coherent result. Its surprising how few posts
I've seen on this.

--
------------------------------------------------
http://www3.sympatico.ca/dmitton
SPAM Reduction: Remove "x." from my domain.
------------------------------------------------

--
Posted via a free Usenet account from http://www.teranews.com

Doug Mitton <(E-Mail Removed)> wrote:

>Grant <g_r_a_n_t_@dodo.com.au> wrote:
>
>>On Sun, 04 Feb 2007 23:13:26 -0500, Doug Mitton <(E-Mail Removed)> wrote:
>>
>>>Is anyone aware of the change that causes this problem ... I'm
>>>researching but I thought I'd ask in case its a common "issue".
>>>
>>>I just compiled the new 2.6.20 kernel, doing an oldconfig with my old
>>>2.6.19 settings.
>>>
>>>On reboot the NAT module isn't available and all my iptables commands
>>>fail and my intranet isn't working.
>>>
>>>Any one have a similar experience? Any solutions?
>>
>>Pay attention to the netfilter settings, I think there were some
>>gratuitous option name changes.
>>
>>Grant.
>
>What a strange change to be making ... I think I've found all the
>hidden options, at least my .config looks like the recommended from
>the UseNet posts I can find.
>
>I'm just recompiling now, I'll see how it goes.
>
>Thanks for the pointer. It took many attempts to get the correct
>search stanza for a coherent result. Its surprising how few posts
>I've seen on this.

Well, the new configuration worked. It took some poking around but I
finally made the .config look like the one posted here:

http://groups.google.com/group/fa.li...c96d11c364c850

Go back about 4 responses in this thread (to Sun, Jan 21, 2007 at
11:48:07AM -0500)

Hope this helps someone else!

--
------------------------------------------------
http://www3.sympatico.ca/dmitton
SPAM Reduction: Remove "x." from my domain.
------------------------------------------------

--
Posted via a free Usenet account from http://www.teranews.com

Hello,

Grant a écrit :
>
> Pay attention to the netfilter settings, I think there were some
> gratuitous option name changes.

"Gratuitous" ?
Linux 2.6.20 offers two mutually-exclusive connection tracking and NAT
frameworks :
- the old legacy IPv4-only ip_conntrack/ip_nat ;
- the new layer 3 independant nf_conntrack/nf_nat, which supports IPv6.

So I guess separate option names are needed for each framework.

The new nf_conntrack framework was introduced in Linux 2.6.15 but may
have remained rather unnoticed because it lacked support for NAT and
connection tracking for many "special" protocols (PPTP, H.323, IRC DCC,
SIP...) until Linux 2.6.20, so the old ip_conntrack was still the
default. Now the new nf_conntrack/nf_nat framework is "complete", it
will eventually replace the old ip_conntrack.

Pascal Hambourg <boite-a-(E-Mail Removed)> wrote:

>Hello,
>
>Grant a écrit :
>>
>> Pay attention to the netfilter settings, I think there were some
>> gratuitous option name changes.
>
>"Gratuitous" ?
>Linux 2.6.20 offers two mutually-exclusive connection tracking and NAT
>frameworks :
>- the old legacy IPv4-only ip_conntrack/ip_nat ;
>- the new layer 3 independant nf_conntrack/nf_nat, which supports IPv6.
>
>So I guess separate option names are needed for each framework.
>
>The new nf_conntrack framework was introduced in Linux 2.6.15 but may
>have remained rather unnoticed because it lacked support for NAT and
>connection tracking for many "special" protocols (PPTP, H.323, IRC DCC,
>SIP...) until Linux 2.6.20, so the old ip_conntrack was still the
>default. Now the new nf_conntrack/nf_nat framework is "complete", it
>will eventually replace the old ip_conntrack.

There are some days I wish we could go back to the "old" stable vs
development code streams. A change like this one could mean some BIG
configuration changes to an installed system.

I've always tried to keep updated to the current stable kernel but
this is making it a little more difficult if you're not a developer
.... and up-to-date on the changes.

Thanks for the explanation.

--
------------------------------------------------
http://www3.sympatico.ca/dmitton
SPAM Reduction: Remove "x." from my domain.
------------------------------------------------

--
Posted via a free Usenet account from http://www.teranews.com

Pascal Hambourg <boite-a-(E-Mail Removed)> wrote:

>Hello,
>
>Grant a écrit :
>>
>> Pay attention to the netfilter settings, I think there were some
>> gratuitous option name changes.
>
>"Gratuitous" ?
>Linux 2.6.20 offers two mutually-exclusive connection tracking and NAT
>frameworks :
>- the old legacy IPv4-only ip_conntrack/ip_nat ;
>- the new layer 3 independant nf_conntrack/nf_nat, which supports IPv6.
>
>So I guess separate option names are needed for each framework.
>
>The new nf_conntrack framework was introduced in Linux 2.6.15 but may
>have remained rather unnoticed because it lacked support for NAT and
>connection tracking for many "special" protocols (PPTP, H.323, IRC DCC,
>SIP...) until Linux 2.6.20, so the old ip_conntrack was still the
>default. Now the new nf_conntrack/nf_nat framework is "complete", it
>will eventually replace the old ip_conntrack.

Do you know of any "official" URL's that discuss this change and what
changes must be made to firewall rules to use the new framework?

I want to start migrating my scripts to the new system.

Thanks!
--
------------------------------------------------
http://www3.sympatico.ca/dmitton
SPAM Reduction: Remove "x." from my domain.
------------------------------------------------

--
Posted via a free Usenet account from http://www.teranews.com

Doug Mitton a écrit :
>
> Do you know of any "official" URL's that discuss this change and what
> changes must be made to firewall rules to use the new framework?

No, and AFAIK there are no userland changes. Some module names change
(for instance ip_contrack_xx becomes nf_conntrack_xx) but aliases with
the old names have been defined, so the transition to nf_conntrack
should be transparent for most iptables rulesets.