iptables module (was Re: [wplug] basic hosting)

[Robert Dale]

On Sun, 15 Dec 2002, Henry Umansky wrote:

> Does anyone know if there is a speed difference of making kernel modules 
> built-in to the kernel??  For instance, because I use iptables all the 
> time, would it be beneficial to making iptables built into the kernel 
> instead of making it a module (iptables.o)??

There's no speed difference.

Why you might want to have modules:

    In the beginning, Bob wanted to set up a firewall.  So, he
  compiled the iptables stuff in the kernel, but only the stuff
  he knew he needed.

    Later.. Bob's been using iptables for awhile.  Now he wants to try
  some advanced features - packet mangling for example.  He tries
  a packet mangling rule in iptables but it fails, complaining it isn't
  supported.

    Bob scratches his head and remembers he didn't select the packet
  mangling stuff in the kernel config because he didn't know what it
  was at the time and figured he didn't need it.

    So, Bob selects the packet mangling option and saves his config.
  But, now he has to recompile the kernel, wait, wait, ..., configure
  the bootloader, and reboot.

    What Bob didn't know was that he could have saved a long compile time
  and didn't have to reboot if he would have used modules.  Bob would
  have had to compile only the new module and install it.  No reboot.
  He would have been able to play with iptables packet mangling only
  seconds later!

Modules are your friend.

When you don't want to use modules:

OK, I won't write a story this time.  Simple, anything that's required
at boot time should be compiled into the kernel statically.  For instance,
if your / partition is on a SCSI drive, you'll need the relevant scsi drivers
compiled into the kernel.

Notice I said "should".  You could get away with making the scsi drivers as
modules if you're familiar with initrd.  But that's a whole other topic ;)

-- 
Robert Dale