On Sat, Apr 28, 2001 at 08:14:18AM +0200, Phil Karn wrote:
> If I configure policy routing on and netfilter off, I can establish my
> existing policy tables that deal with my rather complex ipip tunnel &
> NAT configuration. Everything works as it did under 2.2.19 *except*
> that policy entries calling for masquerading no longer work.
Such a policy rule is not really masquerading, just a very simple
stateless NAT. It'll probably not do what you want because it has no
protocol translation support for ftp etc.
Masquerading has always been a different subsystem, controlled by the
firewall. In 2.4 masquerading still exists as a compatibility module, but
requires netfilter connection tracking.
In 2.4 there also is a more generic new NAT subsystem that among other
things supports old masquerading.
> I tried a kernel with netfilter turned on, but I was then no longer
> able to load the ipip.o module that I use for tunneling. I get two
> unresolved symbols from insmod: nf_hooks and nf_hooks_slow. Yet both
> symbols *are* mentioned in /System.map. Weird. This persisted even
> after a 'make clean' and remake.
Looks like you didn't turn on CONFIG_NETFILTER in the main kernel.
Without it masquerading will not work though.
-Andi
|