I wanted to try the experimental TARPIT module from netfilter, and because
it's experimental, neither the upstream kernel team nor Red Hat will
incorporate this into the stock kernel. This is of course perfectly
reasonable.
But since netfilter modules are kernel modules, it seems like it should be
straightforward to package them as free-standing packages. Has anyone tried
to do this? What success have you had?
Another factor is that the kernel module will need matching machinery in
the iptables userspace program to select the module and parse its options.
(eg. for TARPIT, it would parse the "-j TARPIT" command.) I believe
currently this requires a recompile of the utility. Has any work been done
to make this more modular, with runtime selection of additional parsing
routines? That would allow the userspace parsing piece to be supplied in
the kernel module package to be dropped in a suitable directory for use at
runtime.
