Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 31 May 2002 04:38:59 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Re: kernel 2.4

On Thu, May 30, 2002 at 02:02:40PM +0200, Radoslaw Stachowiak wrote:
> after reading list archive i found:
> >> Userland package not yet ready to support 2.4 kernel. Is there any
> >> chance to use 2.4 kernel on Owl?
> 
> >Most things appear to work in practice.  Including insmod.  But I'm
> >not using 2.4 kernels in production yet, nor do I recommend doing so.
> 
> can anyone confirm running kernel 2.4 on -current Owl?

I can.  I do so on one of my systems at home (with X and lots of other
stuff installed, but the base system is Owl-current) and on one of the
servers at work.  Also with ext3fs.  Both are x86/SMP.  (That's a very
small percentage of the Owl installs we have.)

What doesn't work yet is most importantly Owl _builds_ (buildworld)
with Linux 2.4 kernel headers.  This also means that not all of the
kernel features are available to such a userland (libraries built
against Linux 2.2 header files don't get a chance to detect Linux 2.4
specific features).

> propably ill do it very soon, but i like to know other
> opinions/suggestions. Maybe someone can provide me list of
> need-to-update-packages for 2.4 compatility?

Things just work.  But not rebuilds of the Owl userland with the 2.4
kernels (you may be _running_ 2.4 when doing the rebuilds, but for
everything to build you'd need to provide 2.2 kernel headers).  We
will be fixing that.

Rebuilds of 2.4 kernels themselves on Owl-current do work.

iptables you will need to build, it is simply not a part of Owl yet.
The two installs I mentioned use 2.4's ipchains compatibility.

> I have to use 2.4 due to netfilter.
> 
> after digging in archives it was quite suprising for me that most
> 2.4-upgrade reasons were filesystem issues. 
> 
> For me Owl, with its security, is perfect match for firewall/router which
> extremly needs flexible statefull firewalling code (netfilter) instead
> old and feature lacking ipchains.

As Michael has pointed out, stateful firewalling isn't always better
than static packet filters.  In fact, I try to do as much as possible
with static filters.  And it's not just DoS issues, stateful filters
also run a higher risk of being bypassed.

-- 
/sd

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.