On 12/10/2010 04:00 AM, Curtis Doty wrote: > Yesterday Miloslav Trma said: > >> Curtis Doty píÿÿe v St 08. 12. 2010 v 01:02 -0800: >>> Monday Miloslav Trma said: >>> >>>> Just disable the firewall and you'll get pretty much equivalent >>>> functionality. >>> >>> How? Now that the filter table and stateful connection tracking, aren't >>> modules anymore. They now appear to be built monolithic into the Fedora >>> kernel. >> >> a) you trust the in-kernel firewall state connection tracking to track >> connection state and handle unexpected packets according to the firewall >> configuration. >> >> b) you trust the in-kernel protocol stack (TCP/UDP) to track connection >> state and handle unexpected packets according to ordinary rules of the >> protocol. > > Why must statefull connection tracking be imposed on every Fedora user? > > Don't get me wrong. I use netfilter all the time and love it. And it's > good to install the userland iptables tools and a simple firewall by > default. But when I'd like to choose Fedora without it (asymmetric > routing anyone?), I now have to rebuild the kernel. [harumph!] > > Was there ever a good reason for making the filter table and conntrack > modules monolithic? They certainly didn't used to be built in... > > ../C > Actually a few years ago when we tried building all netfilter helpers as modules it turned out that some of them couldn't be unloaded afterwards as they had cyclic ref counters. This was even discovered in fairly recent kernels, e.g. 2.6.32 where this was still an issue with several helper modules, though there unfortunately you were able to unload the module but it left a memory hole there which got reused by other modules which then lead to the inevitable OOPS at one point. Right now most of them should be fixed now, at least from the tests we were able to do. So imho there shouldn't be anything requiring the modules to be built like that anymore except speed reasons (see a thread on fedora-devel about this a while ago and the performance problems of modprobe). Thanks & regards, Phil -- Philipp Knirsch | Tel.: +49-711-96437-470 Supervisor Core Services | Fax.: +49-711-96437-111 Red Hat GmbH | Email: Phil Knirsch <pknirsch@xxxxxxxxxx> Hauptstaetterstr. 58 | Web: http://www.redhat.com/ D-70178 Stuttgart, Germany Motd: You're only jealous cos the little penguins are talking to me. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
