Re: AW: ipmasq support in potato kernel

[Mike McGuire <mjm19@po.cwru.edu>]

Well, I called my original post "random speculation", so maybe I 
should just shut the hell up. :)  But not before one last shot at 
this...

On Thu, Aug 23, 2001 at 10:23:30PM -0500, Nathan E Norman wrote:
> On Thu, Aug 23, 2001 at 11:11:09PM -0400, Mike McGuire wrote:
> > On Thu, Aug 23, 2001 at 09:31:59PM -0500, Nathan E Norman wrote:
> > > 
> > > [this was getting too long. and it's not terribly intersting 
> > >   it is. if you've got to know, you should be able to find it.]
> >  
> >   b) IF you have the special superFOO deluxe masquerading module in 
> >         the kernel THEN you don't need ipmasq, and 
> 
> You're looking at it backwards.  If you install ipmasq (the package),
> your kernel must have firewalling support compiled in.  Otherwise the
> ipmasq package is useless.
> 
> Of course, you don't _need_ to install ipmasq to use the functionality
> you've compiled into the kernel; it just makes it easier.

OK, I know that ipmasq needs kernel firewalling support. However, I 
don't think I made clear there's also kernel masquerading support *in 
addition* to the firewalling support... So you've got firewalling and 
you want masquerading. There's a few choices:
 0) kernel firewalling, write your own masq scripts w/ ipfoo.
 1) kernel firewalling, use ipmasq's scripts.
 2) kernel firewalling and masquerading, turn it on w/ ipfoo.

Just so you don't yell at me again ;)  here's how #2 works.
    (2.4.x kernel using netfilter/iptables)
    
    (somewhere in the kernel config)
    CONFIG_IP_NF_IPTABLES=m		# general filtering
    CONFIG_IP_NF_FILTER=m		# packet filtering
    CONFIG_IP_NF_NAT=m			# Netwk Addr Translation
    CONFIG_IP_NF_NAT_NEEDED=y
    CONFIG_IP_NF_TARGET_MASQUERADE=m	# special NAT module
    
    Then to set it all up, one whole line (though this just does 
      the masquerading, no real firewalling, but I think that the 
      masq stuff was the point to this whole mess...)
    : iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

As I understood it, the default kernel just does filtering, and maybe 
NAT. And that's all ipmasq needs to work. Perhaps the masquerading 
module is just some extra feature in 2.4.x/iptables? (That could 
explain most of this confusion. arg. (But then, me being completely 
wrong could too. I hope that's not it. ;)  )


> > [more blather]
> >  
> I don't understand what you're on about with this "faster" stuff.  IP
> Masq support in the kernel is ip masq support.  It doesn't work
> automatically; you have to configure it.  The ipmasq package does
> exactly that.

eh. When you said you'd recommend a custom kernel "especially if 
you're manipulating packets", I just assumed you thought it was 
faster too. And I still think the difference is that it's *not* 
IP masq support in the kernel when using ipmasq; it's IP masq in 
user space using the kernel IP filter support. The IP_FOO_MASQ 
module I mentioned above is obviously kernel IP masq support, so 
if I'm right about all that- and I hope I am- kernel code should 
be faster vs. user space code.


But then, I could be wrong. Quite likely, in fact. If I am, just 
tell everyone that I'm an idiot, and why, and as simply as can be 
done to prevent eating away any more of their bandwidth. Now I've 
got tv to watch, and I've got to throw some stuff together so I 
can leave for school tomorrow, so I'm done. No more. :)


Respectfully submitted, Yours etc., and this time I quit. Really. :)
Mike McGuire