iptables module (was Re: [wplug] basic hosting)
Robert Dale
rdale at wplug.org
Sun Dec 15 11:42:35 EST 2002
On Sun, 15 Dec 2002, Henry Umansky wrote:
> Does anyone know if there is a speed difference of making kernel modules
> built-in to the kernel?? For instance, because I use iptables all the
> time, would it be beneficial to making iptables built into the kernel
> instead of making it a module (iptables.o)??
There's no speed difference.
Why you might want to have modules:
In the beginning, Bob wanted to set up a firewall. So, he
compiled the iptables stuff in the kernel, but only the stuff
he knew he needed.
Later.. Bob's been using iptables for awhile. Now he wants to try
some advanced features - packet mangling for example. He tries
a packet mangling rule in iptables but it fails, complaining it isn't
supported.
Bob scratches his head and remembers he didn't select the packet
mangling stuff in the kernel config because he didn't know what it
was at the time and figured he didn't need it.
So, Bob selects the packet mangling option and saves his config.
But, now he has to recompile the kernel, wait, wait, ..., configure
the bootloader, and reboot.
What Bob didn't know was that he could have saved a long compile time
and didn't have to reboot if he would have used modules. Bob would
have had to compile only the new module and install it. No reboot.
He would have been able to play with iptables packet mangling only
seconds later!
Modules are your friend.
When you don't want to use modules:
OK, I won't write a story this time. Simple, anything that's required
at boot time should be compiled into the kernel statically. For instance,
if your / partition is on a SCSI drive, you'll need the relevant scsi drivers
compiled into the kernel.
Notice I said "should". You could get away with making the scsi drivers as
modules if you're familiar with initrd. But that's a whole other topic ;)
--
Robert Dale
More information about the wplug
mailing list