If you look at the code, you will discover, that a certain core-layer of
netfilter and iptables are used all the time, regardless if you choose to
use iptables, ipchains or ipfwadm backwards compatibility.
The backwards compatibility (either ipfwadm or ipchains) modules are built
on top of this core. The frontend (setsockopt/getsockopt to userspace
config tool) looks the same, the backend is totally different.
This is the reason why - of course - the old ip_masq_XXX helpers don't
work anymore. They are written for a kludgy old backend which isn't present
anymore.
There is no particular reason why the current ipchains / ipfwadm emulation
modules don't use the new ip_conntrack_XXX / ip_nat_XXX stuff, just nobody
got around implementing it. (there are comments at the respective position
inside the code).
If you or somebody else wants to volunteer writing this, we'll appreciate
any patches.
btw: it's probably a good idea to move this discussion to
netfilter@lists.samba.org
-- Live long and prosper - Harald Welte / laforge@gnumonks.org http://www.gnumonks.org ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/