On Dec 5, 2007 7:02 PM, Neal Becker <ndbecker2@xxxxxxxxx> wrote: > Anyone know if the f8 kernel (kernel-2.6.23.8-63) is compatible with > l7-filter-userspace? Doesn't seem to work: > > sudo /sbin/modprobe -v ip_conntrack_netlink > insmod /lib/modules/2.6.23.8-63.fc8/kernel/net/ipv4/netfilter/nf_nat.ko > insmod /lib/modules/2.6.23.8-63.fc8/kernel/net/netfilter/nf_conntrack_netlink.ko > [nbecker@nbecker1 l7-filter-userspace-v0.4]$ /usr/bin/l7-filter --help > > ***WARNING*** > The ip_conntrack_netlink module does not appear to be loaded. > Unless you have it compiled into your kernel, please load it > and run l7-filter again. > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > Hi Neal Becker! Thanks for widening my education. I am no expert but love looking at this new network stuff! From: http://l7-filter.sourceforge.net/HOWTO-userspace I see (note the part about "Linux 2.6.20 and newer"): ------------------------------------------------------ Kernel For Linux 2.6.19.7 and older, you simply need to have connection tracking and the connection tracking netlink interface enabled. I think that this is the default in most cases. (XXX what is the oldest version of Linux that has these capabilities? 2.6.14, I think. Needs testing.) For Linux 2.6.20 and newer, Netfilter has new "Layer 3 Independent Connection tracking" which l7-filter is not yet compatible with (mostly due to lack of library support from libnetfilter_conntrack). While the old layer 3 dependent connection tracking is still available, it is not selected by default, so you will probably need to recompile your kernel with it. In the Linux kernel config, go to Networking → Networking options → Network packet filtering framework (Netfilter) → Core Netfilter Configuration. Under "Netfilter connection tracking support", select "Layer 3 Dependent Connection tracking (OBSOLETE)". Then go to Networking → Networking options → Network packet filtering framework → IP: Netfilter Configuration" and enable "Connection tracking netlink interface" (and probably most of the rest of the stuff on that page). This is a pain in the ass, sorry! Either way, you need the module ip_conntrack_netlink or the same code compiled into your kernel. ---------------------------------------------- Which seems pertinent. Have Fun! Tod
