I have a kernel (4.14.136) on target system where netfilter multiport match support is not configured either as builtin or loadable module:
$ zgrep MULTIPORT /proc/config.gz
# CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set
Trying to use multiport
with iptables
does not work, as is expected:
$ iptables -A OUTPUT -o eth1 -p udp -m multiport --dports 1111,2222 -j LOG
iptables v1.8.2 (legacy): Couldn't load match `multiport':No such file or directory
On a development machine I reconfigured the kernel to have multiport
support as module, ran make modules
and copied the new module file net/netfilter/xt_multiport.ko
to the target machine. I did not reboot the target so the kernel is still the "old" one without multiport
module configured.
On target, the new multiport
module loads without problems or errors:
$ zgrep MULTIPORT /proc/config.gz
$ CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set
$ insmod /root/xt_multiport.ko
$ lsmod
Module Size Used by
xt_multiport 4921
I can now add the iptables
rule that failed previously. The rule now sends entries to syslog
when I send packets to ports 1111 or 2222, so the multiport
module seems to be working.
Why is that? I assumed kernel would give you error if you try to load module that is set to "not set" in kernel config.
CodePudding user response:
Having a config as not set or set to =n
does not mean that the kernel will not be able to load the module. It only means that when the kernel was configured and built, that module was not built (otherwise you'd see either =y
or =m
). If you get the kernel sources for the appropriate version and configure and build the module yourself, you will still be able to load it in your kernel.
In fact, this is exactly how any external module is added to an existing kernel. For example, when Wireguard was still not merged in kernel sources, installing it required compiling and installing the wireguard
kernel module too.