On Monday 07 January 2008, Etaoin Shrdlu wrote:
> On Monday 7 January 2008, reader@newsguy.com wrote:
> > Should I have compiled them directly into the kernel?
>
> Well, this is usually a matter of debates. For iptables stuff, I
> generally compile everything into the kernel, but I'm sure there are
> people who can find good reasons for using modules. So, it's ultimately
> up to you.
>
> If you want iptables to be active and working all the time, then I think
> you can compile its stuff into the kernel. It would be nice if someone
> who uses modules also showed his reasons for keeping it as modules, so
> you could get a better picture and make a more informed decision.

# ls -la /proc/net/ip_conntrack
-r--r----- 1 root root 0 Jan  8 08:34 /proc/net/ip_conntrack
# cat /proc/net/ip_conntrack
#
# ls -la /proc/net/nf_conntrack
-r--r----- 1 root root 0 Jan  8 08:40 /proc/net/nf_conntrack
# cat /proc/net/nf_conntrack
#

I'm currently on the train with no internet connection.  Both of the above 
files are empty.  On the other hand when online they show my current 
connections.  The above has been compiled into my kernel.  I used to compile 
iptables stuff as modules, but only a few of them these days.  The reason was 
that I did not know which I was going to use and therefore I could modprobe 
them later on as and when required.  The other reason (that I never actually 
put into practice) was to patch the kernel with the latest & greatest iptable 
modules updates and modprobe accordingly.  If you know what you need in terms 
of iptables kernel options go with the built-in-kernel choice; if not, 
built-as-modules could be better - unless you prefer a fat kernel for no 
reason.
-- 
Regards,
Mick