----- Original Message -----
From: "John DeDourek" <dedourek@xxxxxx>
The netfilter code in the kernel that actually implements the packet
filtering
requires various modules be loaded to perform the tests and actions
required by each of these rules. I believe that the kernel (or the
iptables
utility) automatically loads the modules required by each rule when that
rule is handed over to the kernel for incorporation into the netfilter
"tables".
Embarassingly, I found that I was explicitly "modprobe ip_conntrack_ftp" the
module with my self-made iptable bash script. For a moment my thinking was
like yours. I got to wondering that if I only make some udp iptables rules
for sip phone devices, then how would ip_conntrack_sip load up all by
itself? By port number? I was thinking that ip_conntrack_ftp was loading up
just because I had port 20 and port 21 open.... duh!
No, I don't think that the kernel would every be smart enough to load a ip
module based on TCP/IP port number because ports can be easily redefined.
However, kernels are able to autoload device driver modules because it knows
more about what modules belong to which major/minor number device files.
-eric
