[gentoo-releng] firewall support in genkernel

[gentoo-releng] firewall support in genkernel

[Michiel de Bruijne]

Hi Gals, Guys,

I was about to file a request/bug about including iptables support in 
genkernel. I noticed someone has filed this report already, but it was closed 
as a wontfix almost a year ago. The reason for this was that iptables 
shouldn't be forced on users. Personally I don't see building a few extra 
modules as forcing something on users, but that's a different debate.

I can imagine, one year later with new insights and tools, it's now possible 
to include (optional) iptables support out of the box with genkernel. If I 
file a request/bug will it be closed as a wontfix?

Regards,
Michiel.
-- 
gentoo-releng@gentoo.org mailing list

Re: [gentoo-releng] firewall support in genkernel

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 1392 bytes --]

On Sat, 2006-10-21 at 17:42 +0200, Michiel de Bruijne wrote:
> Hi Gals, Guys,
> 
> I was about to file a request/bug about including iptables support in 
> genkernel. I noticed someone has filed this report already, but it was closed 
> as a wontfix almost a year ago. The reason for this was that iptables 
> shouldn't be forced on users. Personally I don't see building a few extra 
> modules as forcing something on users, but that's a different debate.
> 
> I can imagine, one year later with new insights and tools, it's now possible 
> to include (optional) iptables support out of the box with genkernel. If I 
> file a request/bug will it be closed as a wontfix?

I've started maintaining the genkernel kernel configs pretty much
exclusively.  I see no problem with iptables support being added.  The
best would be if you attached a patch against the current configs, as it
would be easier on me, as I actually have to apply them to two places
(genkernel SVN, and releng kconfigs for 2007.0) for the next release.
The main change is that (for at least x86/amd64) we're trying to make
the default kernel, which is also used on the LiveCD, as generic as
possible and as feature filled as possible.

-- 
Chris Gianelloni
Release Engineering Strategic Lead
Alpha/AMD64/x86 Architecture Teams
Games Developer/Council Member/Foundation Trustee
Gentoo Foundation

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-releng] firewall support in genkernel

[Michiel de Bruijne]

On Sunday 22 October 2006 16:24, Chris Gianelloni wrote:
> I've started maintaining the genkernel kernel configs pretty much
> exclusively.  I see no problem with iptables support being added.  The
> best would be if you attached a patch against the current configs, as it
> would be easier on me, as I actually have to apply them to two places
> (genkernel SVN, and releng kconfigs for 2007.0) for the next release.
> The main change is that (for at least x86/amd64) we're trying to make
> the default kernel, which is also used on the LiveCD, as generic as
> possible and as feature filled as possible.

That's good to read.

Currently there are two kernel configs used for (2.4 and 2.6). 
Features/modules are added and removed with every kernel release. Or entire 
sections are moved to different parts in the kernel dependency hierarchy 
(e.g. netfilter/iptables). There is also the problem that some modules wont 
build in a specific kernel version but build/run fine in another version of 
the kernel.

I think if we want genkernel/livecd as feature filled as possible we should 
extend the default configs to a x.y.z scheme. A new kernel version is 
released about four times a year so this shouldn't be to hard to maintain. 
I'm willing to do the work (creating patches and maintaining future kernel 
configs), but do you agree and are willing to apply it?

The next thing on my annoyance list is I need to put too many items in 
modules.autoload.d that should be handled in init-scripts (e.g. acpid and 
cpufreqd), but I deal with those later.
-- 
gentoo-releng@gentoo.org mailing list

Re: [gentoo-releng] firewall support in genkernel

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 2743 bytes --]

On Sun, 2006-10-22 at 18:02 +0200, Michiel de Bruijne wrote:
> On Sunday 22 October 2006 16:24, Chris Gianelloni wrote:
> > I've started maintaining the genkernel kernel configs pretty much
> > exclusively.  I see no problem with iptables support being added.  The
> > best would be if you attached a patch against the current configs, as it
> > would be easier on me, as I actually have to apply them to two places
> > (genkernel SVN, and releng kconfigs for 2007.0) for the next release.
> > The main change is that (for at least x86/amd64) we're trying to make
> > the default kernel, which is also used on the LiveCD, as generic as
> > possible and as feature filled as possible.
> 
> That's good to read.
> 
> Currently there are two kernel configs used for (2.4 and 2.6). 
> Features/modules are added and removed with every kernel release. Or entire 
> sections are moved to different parts in the kernel dependency hierarchy 
> (e.g. netfilter/iptables). There is also the problem that some modules wont 
> build in a specific kernel version but build/run fine in another version of 
> the kernel.
> 
> I think if we want genkernel/livecd as feature filled as possible we should 
> extend the default configs to a x.y.z scheme. A new kernel version is 
> released about four times a year so this shouldn't be to hard to maintain. 
> I'm willing to do the work (creating patches and maintaining future kernel 
> configs), but do you agree and are willing to apply it?

Sure.

What would be best is if it looked for x.y.z first, then fell back to
x.y, in the case of us not being as fast with the config as the kernel
team with the kernel.  ;]

Another thing to realize is that while I will apply new configs/patches,
I'm not planning on making a genkernel release for changes as minor as a
new config.  What I would suggest is that we make the "2.4" and "2.6"
configs be equal to the latest config, with the x.y.z being preferred,
if it exists.  That way, when a new kernel comes out, it will start out
using the last good config, until it gets updated with its own x.y.z
config.

> The next thing on my annoyance list is I need to put too many items in 
> modules.autoload.d that should be handled in init-scripts (e.g. acpid and 
> cpufreqd), but I deal with those later.

Those should have bugs filed on their own.  Truthfully, that stuff
should all be loaded by the kernel automatically when the service is
run.  I don't have any ACPI/cpufreq stuff in my modules.autoload.d on
this laptop, and both work fine for me.

-- 
Chris Gianelloni
Release Engineering Strategic Lead
Alpha/AMD64/x86 Architecture Teams
Games Developer/Council Member/Foundation Trustee
Gentoo Foundation

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-releng] firewall support in genkernel

[Michiel de Bruijne]

On Monday 23 October 2006 14:17, Chris Gianelloni wrote:
> What would be best is if it looked for x.y.z first, then fell back to
> x.y, in the case of us not being as fast with the config as the kernel
> team with the kernel.  ;]
>
> Another thing to realize is that while I will apply new configs/patches,
> I'm not planning on making a genkernel release for changes as minor as a
> new config.  What I would suggest is that we make the "2.4" and "2.6"
> configs be equal to the latest config, with the x.y.z being preferred,
> if it exists.  That way, when a new kernel comes out, it will start out
> using the last good config, until it gets updated with its own x.y.z
> config.

Ok, do you want patches againt 3.4.2?
-- 
gentoo-releng@gentoo.org mailing list

Re: [gentoo-releng] firewall support in genkernel

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 1290 bytes --]

On Mon, 2006-10-23 at 16:00 +0200, Michiel de Bruijne wrote:
> On Monday 23 October 2006 14:17, Chris Gianelloni wrote:
> > What would be best is if it looked for x.y.z first, then fell back to
> > x.y, in the case of us not being as fast with the config as the kernel
> > team with the kernel.  ;]
> >
> > Another thing to realize is that while I will apply new configs/patches,
> > I'm not planning on making a genkernel release for changes as minor as a
> > new config.  What I would suggest is that we make the "2.4" and "2.6"
> > configs be equal to the latest config, with the x.y.z being preferred,
> > if it exists.  That way, when a new kernel comes out, it will start out
> > using the last good config, until it gets updated with its own x.y.z
> > config.
> 
> Ok, do you want patches againt 3.4.2?

3.4.3, actually...

I just added it this morning and it currently matches SVN, for the most
part.  You can also check
http://sources.gentoo.org/viewcvs.py/genkernel/trunk/ to see what the
current SVN status is.  I did update the kernel sources today to add
lm_sensors and AGP/DRM support.

-- 
Chris Gianelloni
Release Engineering Strategic Lead
Alpha/AMD64/x86 Architecture Teams
Games Developer/Council Member/Foundation Trustee
Gentoo Foundation

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]