Changes from 2.2.x to 2.4.x
The biggest change from the 2.2.x series of kernels to the 2.4.x series, at least as far as networking is concerned, is the migration from ipchains to the Netfilter architecture. Netfilter facilitates a new level of services, including stateful packet filtering and better NAT.
The introduction of Netfilter allows Linux to handle some of the more sophisticated routing through a Linux box. For anyone new to Linux, this is a huge boon with no real drawbacks. For experienced Linux admins, it means learning (again) a new set of tools to manage packet filtering and NAT. Of course, optimists will simply see it as job security and an interesting exercise in extending their current skills.
Stateful inspection of packets increases security and efficiency. It also, to some extent, increases complexity in configuration; but it’s more than a fair trade-off for the capabilities you will have.
In the 2.2.x series of kernels, Source NAT (SNAT), Destination NAT (DNAT), and redirection aren’t even options. However, Netfilter makes configuring these types of NAT relatively painless and dramatically improves the routing capabilities of Linux.
More on Netfilter
Netfilter / iptables is also used for IP Masquerading and setting up firewalls. Chapter 14, “Security and NAT Issues,” walks you through the use of Netfilter/ iptables to set up IP Masquerading, firewall rules, and NAT.
Enabling ipfwadm and ipchains Support
Though we cover kernel configuration more thoroughly in Chapter 13, “Building a Routing Kernel,” we wanted to cover migrating your ipfwadm or ipchains setups here.
We think that iptables is a much better tool for setting up firewalls and NAT; but for ease of migration, the 2.4.x kernel provides compatibility modules for both ipfwadm and ipchains.
When compiling a new kernel, be sure to enable support for development drivers and code. When using menuconfig or xconfig, you’ll find this option under the menu item, Code Maturity Level Options. The only choice given under this menu item is Prompt For Development and/or Incomplete Code/Drivers. Go ahead and select y for this option.
In the Networking Options menu, you will need to enable IP: Netfilter Configuration. In the 2.4.x kernel series, ipchains and ipfwadm support run on top of the Netfilter framework.
You can use iptables, ipchains, or ipfwadm, but you can’t use them together. You’ll have to disable all other options under IP: Netfilter Configuration or enable them as modules only to be able to enable either ipchains or ipfwadm. You can compile module support for all three if you want, but it’s probably best to stick with one and recompile if you decide to migrate to iptables.
That’s really all there is to it. After you’ve compiled the kernel, you can use either module to continue support for your old setup until you’re ready to migrate to iptables.
Note: Development and Incomplete Code/DriversDon’t worry! Selecting this option will not make your kernel unstable; it simply allows you to choose features or drivers that aren’t considered “stable” yet. In many cases, you’ll find that so-called “unstable” features are quite reliable, usually more so than some commercial-release software. The bar for “stable” with most Free Software or Open Source projects is considerably higher than for commercial software on many occasions. However, you will find that “unstable” code or drivers are often not feature-complete. If you’re concerned about using these features, the best thing to do is search the kernel mailing list archives and your distribution’s mailing lists and conduct a quick search on Google. If you belong to a Linux user group, posting a query to the mailing list isn’t a bad idea either. If folks are having serious issues, they’ll be talking about them. On the other hand, they might be talking about the success they’re having. If you do encounter a bug down the road, be sure to give the developers a detailed report of the bug if it hasn’t been reported already. You might have found a special case scenario that others haven’t encountered yet. |