On Mon, Jun 23, 2003 at 02:48:44PM -0500, Gary Cote wrote: > > Can anyone brief me on whether there's any sort of master > plan to submit the netfilter patches into the kernel base? sure, we are constantly submitting patches to the 2.4.x and 2.5.x kernels. > And further, whether there's any thought to back porting > them to 2.4.x? If effort is the limiting factor, then my > company may be sufficiently motivated to cough up some > free time. Which ones are you talking about? 2.5.x work is mostly eliminating skb_linearize() from all parts of netfilter/iptables. Apart from that, almost all our patches are for 2.4.x > I'm specifically interested in the pptp-conntrack-nat patch. > I noticed that the patch modifies ip_conntrack_core.c and > ip_nat_core.c. Aside from what appear to be debug statements, > it looks like a net change of *two* lines of code. The rest of > the patch consists of new files. yes. Th reason for not submitting it is not one of it being instable or affecting too many other subsystems. The main reasons are: - still doesn't support multiple calls in one session - some people seem to have DNAT problems - it expands the ip_conntrack_tuple by at least 4 to 8 bytes, which is quite some penalty, considering there are two tuples in every connection tracking entry > Would it be possible to get only those small changes into the > kernel base? Then, we'd be able to build the GRE/PPTP helpers > as loadable modules and not have to patch the kernel. You cannot just put those two lines into the kernel, since they require the respective header files. And they increade the tuple size, see above. > We're something of a value-added reseller. We bundle our system > software within a linux workstation. We've so far managed to run > our product on off-the-shelf distros and would prefer not to get > into the business of building, shipping, and maintaining custom > kernels. I can understand that position, but you have to understand that we have different motivations for putting code into the linux kernel. -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
pgp00485.pgp
Description: PGP signature
