I have a kernel (4.14.136) on target system where netfilter multiport match support is not configured either as builtin, or loadable module.

$ zgrep MULTIPORT /proc/config.gz
# CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set

Trying to use multiport with iptables does not work, as is expected:

$ iptables -A OUTPUT -o eth1 -p udp -m multiport --dports 1111,2222 -j LOG
iptables v1.8.2 (legacy): Couldn't load match `multiport':No such file or directory

On development machine I reconfigured the kernel to have multiport support as module, ran make modules and copied the new module file net/netfilter/xt_multiport.ko to target. I did not reboot the target so the kernel is still the "old" one without multiport module configured.

On target, the new multiport module loads without problems or errors:

$ zgrep MULTIPORT /proc/config.gz
$ CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set
$ insmod /root/xt_multiport.ko
$ lsmod
Module                  Size  Used by
xt_multiport            4921  

I can now add the iptables rule that failed previously. The rule now sends entries to syslog when I send packets to ports 1111 or 2222, so the multiport module seems to be working.

Why is that? I assumed kernel would give you error if you try to load module that is set to "not set" in kernel config?

CodePudding user response：

Having a config as not set or set to =n does not mean that the kernel will not be able to load the module. It only means that when the kernel was configured and built, that module was not built (otherwise you'd see either =y or =m). If you get the kernel sources for the appropriate version and configure and build the module yourself, you will still be able to load it in your kernel.

In fact, this is exactly how any external module is added to an existing kernel. For example, when Wireguard was still not merged in kernel sources, installing it required compiling and installing the wireguard kernel module too.