| 1 |
John Dangler schreef: |
| 2 |
> Holly~ The Firestarter kernel requirements doc says - |
| 3 |
> |
| 4 |
> *Device drivers *Networking support [y] *Networking support |
| 5 |
> *Networking options *Network packet filtering [y] *Network packet |
| 6 |
> filtering IP: Netfilter Configuration (*) |
| 7 |
> |
| 8 |
> "We recommend you enable _everything_ except ipchains support and |
| 9 |
> ipfwadm support as modules under this menu" |
| 10 |
|
| 11 |
I never read this as meaning that everything should be selected, but |
| 12 |
rather that everything that you select under this menu, other than |
| 13 |
ipchains support and ipfwadm, should be selected as a module rather than |
| 14 |
static. But even then, they further explain that this is mostly to save |
| 15 |
size and memory in the kernel, rather than some actual necessity. |
| 16 |
|
| 17 |
And of course, the docs further say |
| 18 |
> At the very least, the Connection tracking, IP tables, Connection |
| 19 |
> state match support, Connection tracking match support, Packet |
| 20 |
> filtering, Full NAT and the LOG target support |
| 21 |
|
| 22 |
|
| 23 |
My config looks like this: |
| 24 |
|
| 25 |
CONFIG_IP_NF_CONNTRACK=y |
| 26 |
# CONFIG_IP_NF_CT_ACCT is not set |
| 27 |
# CONFIG_IP_NF_CONNTRACK_MARK is not set |
| 28 |
# CONFIG_IP_NF_CT_PROTO_SCTP is not set |
| 29 |
# CONFIG_IP_NF_FTP is not set |
| 30 |
# CONFIG_IP_NF_IRC is not set |
| 31 |
# CONFIG_IP_NF_TFTP is not set |
| 32 |
# CONFIG_IP_NF_AMANDA is not set |
| 33 |
CONFIG_IP_NF_QUEUE=y |
| 34 |
CONFIG_IP_NF_IPTABLES=y |
| 35 |
CONFIG_IP_NF_MATCH_LIMIT=y |
| 36 |
CONFIG_IP_NF_MATCH_IPRANGE=y |
| 37 |
CONFIG_IP_NF_MATCH_MAC=y |
| 38 |
CONFIG_IP_NF_MATCH_PKTTYPE=y |
| 39 |
CONFIG_IP_NF_MATCH_MARK=y |
| 40 |
CONFIG_IP_NF_MATCH_MULTIPORT=y |
| 41 |
CONFIG_IP_NF_MATCH_TOS=y |
| 42 |
CONFIG_IP_NF_MATCH_RECENT=y |
| 43 |
CONFIG_IP_NF_MATCH_ECN=y |
| 44 |
CONFIG_IP_NF_MATCH_DSCP=y |
| 45 |
CONFIG_IP_NF_MATCH_AH_ESP=y |
| 46 |
CONFIG_IP_NF_MATCH_LENGTH=y |
| 47 |
CONFIG_IP_NF_MATCH_TTL=y |
| 48 |
CONFIG_IP_NF_MATCH_TCPMSS=y |
| 49 |
CONFIG_IP_NF_MATCH_HELPER=y |
| 50 |
CONFIG_IP_NF_MATCH_STATE=y |
| 51 |
CONFIG_IP_NF_MATCH_CONNTRACK=y |
| 52 |
CONFIG_IP_NF_MATCH_OWNER=y |
| 53 |
# CONFIG_IP_NF_MATCH_ADDRTYPE is not set |
| 54 |
# CONFIG_IP_NF_MATCH_REALM is not set |
| 55 |
# CONFIG_IP_NF_MATCH_SCTP is not set |
| 56 |
# CONFIG_IP_NF_MATCH_COMMENT is not set |
| 57 |
# CONFIG_IP_NF_MATCH_HASHLIMIT is not set |
| 58 |
CONFIG_IP_NF_FILTER=y |
| 59 |
CONFIG_IP_NF_TARGET_REJECT=y |
| 60 |
CONFIG_IP_NF_TARGET_LOG=y |
| 61 |
CONFIG_IP_NF_TARGET_ULOG=y |
| 62 |
CONFIG_IP_NF_TARGET_TCPMSS=y |
| 63 |
CONFIG_IP_NF_NAT=y |
| 64 |
CONFIG_IP_NF_NAT_NEEDED=y |
| 65 |
CONFIG_IP_NF_TARGET_MASQUERADE=y |
| 66 |
CONFIG_IP_NF_TARGET_REDIRECT=y |
| 67 |
CONFIG_IP_NF_TARGET_NETMAP=y |
| 68 |
CONFIG_IP_NF_TARGET_SAME=y |
| 69 |
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set |
| 70 |
CONFIG_IP_NF_MANGLE=y |
| 71 |
CONFIG_IP_NF_TARGET_TOS=y |
| 72 |
CONFIG_IP_NF_TARGET_ECN=y |
| 73 |
CONFIG_IP_NF_TARGET_DSCP=y |
| 74 |
CONFIG_IP_NF_TARGET_MARK=y |
| 75 |
CONFIG_IP_NF_TARGET_CLASSIFY=y |
| 76 |
CONFIG_IP_NF_RAW=m |
| 77 |
CONFIG_IP_NF_TARGET_NOTRACK=m |
| 78 |
CONFIG_IP_NF_ARPTABLES=y |
| 79 |
CONFIG_IP_NF_ARPFILTER=y |
| 80 |
CONFIG_IP_NF_ARP_MANGLE=y |
| 81 |
|
| 82 |
As you see, I haven't even followed the instructions properly (all this |
| 83 |
stuff is static), but, as the docs also say it will, Firestarter seems |
| 84 |
to work fine (because all the 'required elements' are enabled. |
| 85 |
|
| 86 |
Maybe I'll go back through make menuconfig and clean that all up, just |
| 87 |
so I know what I'm doing in future. But afaik, I just left the kernel |
| 88 |
defaults in place (as about all I know about these settings is that 1) |
| 89 |
I'm not using ipv6, and 2) anything that is needed for a router I don't |
| 90 |
need, because I'm not a router :) ). |
| 91 |
|
| 92 |
It rather sounds like Hans-Werner is onto something; often, when you |
| 93 |
change your kernel configuration, you have to rebuild any external |
| 94 |
modules against the new base, which you don't seem to have done. |
| 95 |
Otherwise the external module thinks that functions are available that |
| 96 |
it has to modprobe (because the functionality has changed from static to |
| 97 |
module), and vice versa (if the functionality has changed from module to |
| 98 |
static). |
| 99 |
|
| 100 |
If I reconfigure my kernel to modify a sound module, then no, I don't |
| 101 |
have to re-emerge the ati-drivers (because the kernel change is |
| 102 |
irrelevant to the external module), but the same wouldn't be true if I |
| 103 |
changed /dev/agpgart from static to a module. |
| 104 |
|
| 105 |
In this case, you certainly are changing kernel options relevant to the |
| 106 |
external modules, so those would have to be re-emerged against the new |
| 107 |
kernel congiguration. |
| 108 |
|
| 109 |
HTH, |
| 110 |
Holly |
| 111 |
|
| 112 |
|
| 113 |
|
| 114 |
-- |
| 115 |
gentoo-user@g.o mailing list |
Archives