I'm having quite a battle here.

I need to include the *SNAT and *DNAT .so files in /usr/lib/iptables, and can't figure out quite how to get things configured.

I notice some anomalies that I'm sure explain the problem I'm having, but I don't know how to interpret them.

In .config, on a pristine checkout, after running make menconfig and immediately saving it we see:
. .
CONFIG_PACKAGE_iptables=y
CONFIG_PACKAGE_iptables-mod-conntrack=y
CONFIG_PACKAGE_iptables-mod-extra=y
CONFIG_PACKAGE_iptables-mod-filter=y
CONFIG_PACKAGE_iptables-mod-imq=y
CONFIG_PACKAGE_iptables-mod-ipopt=y
. . .

I'm pretty sure this is why I can't do anything with those packages when I do a "make menuconfig" again:

  ? ? <M> kmod-ebtables................................. Bridge firewallin? ?
  ? ? <M> kmod-ip6tables.............................................. IPv? ?
  ? ? --- kmod-ipt-conntrack....................... Modules for connection? ?
  ? ? --- kmod-ipt-extra............................................. Extr? ?
  ? ? --- kmod-ipt-filter.................... Modules for packet content i? ?
  ? ? --- kmod-ipt-imq............................... Intermediate Queuein? ?
  ? ? --- kmod-ipt-ipopt........... Modules for matching/changing IP packe? ?
  ? ? <M> kmod-ipt-iprange........................... Module for matching ? ?
  ? ? <M> kmod-ipt-ipsec........................ Modules for matching IPSe? ?

Note that they're "lined out" and can't be modified.

So what I want is:

CONFIG_PACKAGE_iptables-mod-nat=y

in .config, which I assume will cause similar behavior in the make menuconfig program, and result in the proper modules being put into the .bin file.

But nothing I do with Kernel Modules -> Netfilter Extensions -> kmod-ipt-nat
has any effect on the CONFIG_PACKAGE line in .config.

So I'm wondering how one *DOES* change it; you can't manually change it in .config, because it gets changed right back again when make menuconfig is run.

For that matter the iptables-mod-nat .ipk file doesn't get built, either, no matter what happens to the options in the menuconfig screen.

I would think this is a bug, but I'm betting there's something I need to know, but do not. . .

There are two places where iptables are configured. The first is in the kernel drivers and the second is the iptables application. The iptables application can be configured in Base System->iptables (CONFIG_PACKAGE_iptables). You will notice that the iptables is configured by default to * and depends on several kernel drivers which is why you see some of the drivers with the --- indicator. To determine dependencies, go to an item with --- displayed and press the ? key. You will see what module(s) selected the item as a dependency.

iptables is broken right now (or at least for port forwarding and qos). Here is a ticket with a discussion that I am assuming is relevant to your situation. Currently the DNAT, SNAT and layer7 shared libraries are being compiled but not packaged ... or at least that is what I make of it after a cursory look.

So when I go to any of the "--" iptables modules and ask for information thus, I find:

Selected by: PACKAGE_iptables-mod-conntrack && PACKAGE_iptables 

A question remains: How did "PACKAGE_iptables-mod-conntrack" get selected in the configuration process?

If I could find where that happens, the build will still be broken, but I'll have much more clue about what's going on inside :-)

Look at Base system -> iptables and ?

Selects: PACKAGE_kmod-ipt-conntrack                                                                                      ?
Selected by: PACKAGE_qos-scripts && PACKAGE_iptables   

It is selected by: <*> iptables............................... IPv4 firewall administration tool  --->

Major AHA! moment there.

I hadn't ever seen the -> before by iptables; on my (I thought standard-width) screen that doesn't show up.

Which makes me wonder how many other mysteries like this a stretched-out window might solve. .