kernel2.6下为iptables添加扩展模块
终于实现在kernel2.6下为iptables 添加扩展模块
[color=Red]声明:特别感谢白金大哥的无私帮助,和CUer的无私帮助。到处找资料,成功了,就贴出来给大家分享一下。[/color]
因为AS4与CENTOS4都默认没有安装kernel 源代码,所以要先安装kernel源代码
本文以centOS4.0 iptables1.3.5为实验环境。
/data为存放各种数据源码的目录。
1. 安装 kernel源代码
# rpm --import /usr/share/rhn/RPM-GPG-KEY
# up2date redhat-rpm-config rpm-build
# up2date --get-source kernel
# useradd buildcentos
# rpm -ivh /var/spool/up2date/kernel*.src.rpm
# cd /usr/src/redhat/SPECS
# rpmbuild -bp --target=i686 kernel-2.6.spec
# cp -a /usr/src/redhat/BUILD/kernel-2.6.9/linux-2.6.9 /usr/src
2. 初始化内核
cd /usrs/src/linux-2.6.9
uname –a
vi Makefile 改EXTRAVERSION =-5.0.3.EL
保持跟uname -a 的版本一致
# make mrproper
# make menuconfig 直接退出。(为了生成.config)
3. 为内核打补丁并添加模块
cd /data/patch-o-matic-ng-20050801
[color=Red]KERNEL_DIR=/usr/src/linux-2.6.9 IPTABLES_DIR=/data/iptables-1.3.5 ./runme time
(注:runme 后跟需要添加的模块,不要使用base 或其它的命令,会导致后面iptables 不能编译通过。我编译的模块有:time ipv4options psd mport ipp2p quota。很遗憾的是string 模块不支持kernel-2.6 版本)[/color]
# 此处为添加Layer-7模块 L7-filter 补丁以及协议描述文件:
http://sourceforge.net/project/showfiles.php?group_id=80085
cd /data
tar -xzvf l7-protocols-2006-01-22
mv l7-protocols-2006-10-18 /etc/l7-protocols
cd /usr/src/linux-2.6.9
patch –p1</data/netfilter-layer7-v2.6/for_older_kernels/
kernel-2.6.9-2.6.10-layer7-1.2.patch
cd /data/iptables-1.3.5
patch –p1 </data/netfilter-layer7-v2.6/ iptables-layer7-2.6.patch
chmod +x extensions/.layer7-test
# 添加Layer-7模块完成
4. 选中你增加的模块
cd /usr/src/linux-2.6.9 make menuconfig
5. 编译netfilter模块
cd /usr/src/linux-2.6.9
make modules_prepare
make M=net/ipv4/netfilter
编译完成netfilter的模块后拷贝编译完成的模块
cp -f /usr/src/linux/net/ipv4/netfilter/*.ko /lib/modules/2.6.5-1.358/kernel/net/ipv4/netfilter/
chmod +x chmod +x /lib/modules/2.6.9-5.0.3.EL/kernel/net/ipv4/netfilter/*.ko
depmod –a
6. 编译iptables
vi /usr/src/linux-2.6.9/include/linux/config.h把下面的三行注释掉
//#ifndef __KERNEL__
//#error including kernel header in userspace; use the glibc headers instead!
//#endif
cd /data/iptables-1.3.5
export KERNEL_DIR=/usr/src/linux-2.6.9 IPTABLES_DIR=/data/iptables-1.3.5
make BINDIR=/sbin LIBDIR=/lib MANDIR=/usr/share/man install
完成安装以后测试一下
# iptables -V
# modprobe ipt_time
# modprobe ipt_ipp2p
# lsmod
OK成功。
参考文章:http://www.redhat.com.cn/kbase/5109.php
http://bbs.chinaunix.net/viewthread.php?tid=592094
http://sourceforge.net/project/showfiles.php?group_id=80085
http://www.debianfordummies.org/wiki/index.php/Firewall_com_Layer7
http://bbs.chinaunix.net/viewthread.php?tid=505370&extra=page%3D1
http://fanqiang.chinaunix.net/program/other/2005-10-20/3738.shtml
BTW:白金大哥的domain0.02对只要你使用的kernel和kernel源码是一致的,iptables和源码是一致的,是没有问题的。http://bbs.chinaunix.net/viewthread.php?tid=791863&extra=page%3D1
[ 本帖最后由 lovegqin 于 2006-11-11 22:51 编辑 ]
LnBSD 回复于:2006-11-09 08:34:12
支持,呵呵
lihn 回复于:2006-11-09 12:29:31
执行make M=net/ipv4/netfilter后出错:
CC [M] net/ipv4/netfilter/ipt_connlimit.o
net/ipv4/netfilter/ipt_connlimit.c: In function `count_them':
net/ipv4/netfilter/ipt_connlimit.c:68: error: structure has no member named `proto'
net/ipv4/netfilter/ipt_connlimit.c:94: error: structure has no member named `infos'
net/ipv4/netfilter/ipt_connlimit.c:101: error: structure has no member named `infos'
make[1]: *** [net/ipv4/netfilter/ipt_connlimit.o] Error 1
make: *** [_module_net/ipv4/netfilter] Error 2
之前都没出错
我的系统是centos 4 uname -a :2.6.9-42.EL
lovegqin 回复于:2006-11-09 12:48:32
应该是path的问题
2.6据说已经不用path了
你试试不用path 看
sunkez 回复于:2006-11-09 13:00:10
收藏下!!谢谢楼主分享!
lihn 回复于:2006-11-09 13:14:52
什么意思?我没有path L7啊。就rume ipp2p, time ,connlimit
lovegqin 回复于:2006-11-09 13:26:09
patch-o-matic-ng-*
有可能和kernel不匹配造成的,你换个试试
lihn 回复于:2006-11-09 14:56:14
刚才重装了centos,也是4.0的, uname -a :2.6.9-5.0.3.EL
iptables:iptables-1.3.5
patch-o-matic-ng:patch-o-matic-ng-20050801
还是错误:
CC [M] net/ipv4/netfilter/ipt_connlimit.o
net/ipv4/netfilter/ipt_connlimit.c: In function `count_them':
net/ipv4/netfilter/ipt_connlimit.c:68: error: structure has no member named `proto'
net/ipv4/netfilter/ipt_connlimit.c:94: error: structure has no member named `infos'
net/ipv4/netfilter/ipt_connlimit.c:101: error: structure has no member named `infos'
make[1]: *** [net/ipv4/netfilter/ipt_connlimit.o] Error 1
make: *** [_module_net/ipv4/netfilter] Error 2
lovegqin 回复于:2006-11-09 15:05:29
你的使用的kernel和kernel的源码
还有iptables和它的源码
是一致的吗>?
epboy 回复于:2006-11-10 02:57:04
引用:原帖由 lihn 于 2006-11-9 12:29 发表
执行make M=net/ipv4/netfilter后出错:
CC [M] net/ipv4/netfilter/ipt_connlimit.o
net/ipv4/netfilter/ipt_connlimit.c: In function `count_them':
net/ipv4/netfilter/ipt_connlimit.c:68: error: stru ...
connlimit的2.6版本是针对2.6.11以后的内核版本的,所以直接编译会失败...
记得原来这坛里也有过的,自己找找吧...或者用下面这个
http://www.sharesky.cn/blog/linuxunix/
meyan 回复于:2006-11-10 10:52:21
楼主请问一下。。我在centOS3.4 下行吗。。我要要用什么版本的内核
楼主好像没有make menuconfig 把这些新加的time ipv4options psd mport ipp2p quota 做成模块
楼主留下QQ 吧
webyuhang 回复于:2006-11-10 10:55:33
呵呵,楼主终于成精了
lovegqin 回复于:2006-11-10 11:46:14
centos3.4 是2.4的内核,那样你按照白金的方法就可以了
引用:原帖由 webyuhang 于 2006-11-10 10:55 发表
呵呵,楼主终于成精了
这个贴子成为精华的可能性很小哦!!!:em12::em12::em12:
[ 本帖最后由 lovegqin 于 2006-11-17 12:53 编辑 ]
llzqq 回复于:2006-11-10 12:13:32
加精鼓励
meyan 回复于:2006-11-10 12:17:55
centOS3.4 下添加l7模块,不编内核的情况,有谁成功过
发资料发上来。。哈
duanjigang 回复于:2006-11-15 09:22:58
支持,偶用RH9没搞成功,这几天准备用白金的那个方法在AS4上再尝试一把
colddawn 回复于:2006-11-15 09:44:21
基本上和我的步骤一样了,只是个人在习惯上不太赞同rpmbuild -bp这种解包并patch完留个目录就算源代码了,因为可能过一阵子你都不知道里面你有没做过修改,还是不是最初的源代码目录树等等,喜欢把source code单独搞出一个kernel-sourcecode.2.6.XXXX-XXXX.rpm包出来,便于使用,以后编译其它功能也方便。
另外打完补丁后可以直接make oldconfig更方便,会有提示让你选择是否添加新的功能。
landyh 回复于:2006-11-15 10:13:05
引用:原帖由 lovegqin 于 2006-11-9 08:25 发表
kernel2.6下为iptables添加扩展模块
很遗憾的是string 模块不支持kernel-2.6 版本 ...
实验过吗?
引用:
[root@NAT etc]# uname -r
2.6.17.13
[root
lovegqin 回复于:2006-11-15 11:21:28
2.6.14以后好像支持了
2.6.9肯定是不行
meyan 回复于:2006-11-15 14:15:04
板主我在centos4.4 2.6.9内核下安装成功了
不过测试的时候报错
[root@centlynn ~]# iptables -t mangle -I POSTROUTING -m layer7 --l7proto skypeo
t -j DROP
Warning: layer7 regexp contains a control character, $, in hex (\x24).
I recommend that you write this as $ or \$, depending on what you meant.
Warning: layer7 regexp contains a control character, $, in hex (\x24).
I recommend that you write this as $ or \$, depending on what you meant.
Warning: layer7 regexp contains a control character, $, in hex (\x24).
I recommend that you write this as $ or \$, depending on what you meant.
Warning: layer7 regexp contains a control character, ^, in hex (\x5e).
I recommend that you write this as ^ or \^, depending on what you meant.
Warning: layer7 regexp contains a control character, ^, in hex (\x5e).
I recommend that you write this as ^ or \^, depending on what you meant.
Warning: layer7 regexp contains a control character, ^, in hex (\x5e).
I recommend that you write this as ^ or \^, depending on what you meant.
[root@centlynn ~]#
meyan 回复于:2006-11-15 14:26:50
我在安装模块的时候报了两个错,我想有可以上面的原因出在这里
make modules_prepare
make M=net/ipv4/netfilter
CC [M] net/ipv4/netfilter/ipt_pkttype.o
CC [M] net/ipv4/netfilter/ipt_multiport.o
CC [M] net/ipv4/netfilter/ipt_owner.o
CC [M] net/ipv4/netfilter/ipt_tos.o
CC [M] net/ipv4/netfilter/ipt_psd.o
net/ipv4/netfilter/ipt_psd.c: In function `ipt_psd_match':
net/ipv4/netfilter/ipt_psd.c:177: warning: comparison of distinct pointer types
lacks a cast
net/ipv4/netfilter/ipt_psd.c:177: warning: comparison of distinct pointer types
lacks a cast
CC [M] net/ipv4/netfilter/ipt_ipv4options.o
CC [M] net/ipv4/netfilter/ipt_time.o
CC [M] net/ipv4/netfilter/ipt_recent.o
CC [M] net/ipv4/netfilter/ipt_ecn.o
CC [M] net/ipv4/netfilter/ipt_dscp.o
CC [M] net/ipv4/netfilter/ipt_ah.o
CC [M] net/ipv4/netfilter/ipt_esp.o
CC [M] net/ipv4/netfilter/ipt_length.o
CC [M] net/ipv4/netfilter/ipt_ttl.o
CC [M] net/ipv4/netfilter/ipt_state.o
CC [M] net/ipv4/netfilter/ipt_conntrack.o
CC [M] net/ipv4/netfilter/ipt_tcpmss.o
CC [M] net/ipv4/netfilter/ipt_realm.o
CC [M] net/ipv4/netfilter/ipt_addrtype.o
CC [M] net/ipv4/netfilter/ipt_physdev.o
CC [M] net/ipv4/netfilter/ipt_comment.o
CC [M] net/ipv4/netfilter/ipt_layer7.o
net/ipv4/netfilter/ipt_layer7.c:457: warning: initialization from incompatible
ointer type
CC [M] net/ipv4/netfilter/ipt_REJECT.o
CC [M] net/ipv4/netfilter/ipt_TOS.o
CC [M] net/ipv4/netfilter/ipt_ECN.o
CC [M] net/ipv4/netfilter/ipt_DSCP.o
CC [M] net/ipv4/netfilter/ipt_MARK.o
CC [M] net/ipv4/netfilter/ipt_MASQUERADE.o
CC [M] net/ipv4/netfilter/ipt_REDIRECT.o
meyan 回复于:2006-11-15 14:32:16
[root@centlynn ~]# iptables -A FORWARD -m layer --l7proto qq -j DROP
iptables v1.3.5: Couldn't load match `layer':/lib/iptables/libipt_layer.so: can
ot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
[root@centlynn ~]#
allans 回复于:2006-11-16 07:58:32
在2.6.9内核使用l7,好像会导致内存溢出,最终系统崩溃的,我用rh as1试过,的确会溢出,不知道现在这个l7版本如何
lovegqin 回复于:2006-11-16 08:10:06
net/ipv4/netfilter/ipt_layer7.c:457: warning: initialization from incompatible
ointer type
这明显是你的L7补丁的问题
tramp6 回复于:2006-11-16 19:25:57
学习列`~~收下列~~
murong 回复于:2006-11-17 08:23:57
http://bbs.chinaunix.net/viewthread.php?tid=699015&highlight=murong
alonefly 回复于:2006-11-18 15:59:43
学习+收藏
alonefly 回复于:2006-11-20 13:54:54
支持
yszll 回复于:2006-11-20 15:44:12
顶顶. 我在centos下. 都是先升级内核,然后在加模块的.
zhy0414 回复于:2006-11-21 22:26:45
不错,我弄这个弄了好长时间了,还没有成功,在2。4下成功,2。6下还不行,明天照你的试一下
剑次狼 回复于:2006-11-23 11:05:08
我按lovegqin兄的那篇< 终于实现在kernel2.6下为iptables 添加扩展模块 >升级完毕后,ipp2p不好用,但是l7成功打上了,也能正常使用,但是nat表无法使用,请问是因为内核版本太低还是?
root@thizwall:/home# iptables -t nat -F
iptables v1.3.6: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
root@thizwall:/home# uname -a
Linux thizwall 2.6.17-10-server #2 SMP Fri Oct 13 18:47:26 UTC 2006 i686 GNU/Linux
cat /var/log/messages
Nov 20 14:59:55 thizwall kernel: [42983166.480000] iptable_nat: Unknown symbol ip_nat_seq_adjust
Nov 20 14:59:55 thizwall kernel: [42983166.480000] iptable_nat: disagrees about version of symbol ip_nat_setup_info
Nov 20 14:59:55 thizwall kernel: [42983166.480000] iptable_nat: Unknown symbol ip_nat_setup_info
Nov 20 14:59:55 thizwall kernel: [42983166.480000] iptable_nat: disagrees about version of symbol ip_conntrack_untracked
Nov 20 14:59:55 thizwall kernel: [42983166.480000] iptable_nat: Unknown symbol ip_conntrack_untracked
Nov 20 14:59:55 thizwall kernel: [42983166.480000] iptable_nat: disagrees about version of symbol ip_nat_packet
Nov 20 14:59:55 thizwall kernel: [42983166.480000] iptable_nat: Unknown symbol ip_nat_packet
Nov 20 14:59:55 thizwall kernel: [42983166.480000] iptable_nat: disagrees about version of symbol ip_nat_icmp_reply_translation
Nov 20 14:59:55 thizwall kernel: [42983166.480000] iptable_nat: Unknown symbol ip_nat_icmp_reply_translation
Nov 20 14:59:55 thizwall kernel: [42983166.510000] iptable_nat: disagrees about version of symbol ip_nat_seq_adjust
Nov 20 14:59:55 thizwall kernel: [42983166.510000] iptable_nat: Unknown symbol ip_nat_seq_adjust
Nov 20 14:59:55 thizwall kernel: [42983166.510000] iptable_nat: disagrees about version of symbol ip_nat_setup_info
Nov 20 14:59:55 thizwall kernel: [42983166.510000] iptable_nat: Unknown symbol ip_nat_setup_info
Nov 20 14:59:55 thizwall kernel: [42983166.510000] iptable_nat: disagrees about version of symbol ip_conntrack_untracked
Nov 20 14:59:55 thizwall kernel: [42983166.510000] iptable_nat: Unknown symbol ip_conntrack_untracked
Nov 20 14:59:55 thizwall kernel: [42983166.520000] iptable_nat: disagrees about version of symbol ip_nat_packet
Nov 20 14:59:55 thizwall kernel: [42983166.520000] iptable_nat: Unknown symbol ip_nat_packet
Nov 20 14:59:55 thizwall kernel: [42983166.520000] iptable_nat: disagrees about version of symbol ip_nat_icmp_reply_translation
Nov 20 14:59:55 thizwall kernel: [42983166.520000] iptable_nat: Unknown symbol ip_nat_icmp_reply_translation
Nov 20 15:00:10 thizwall kernel: [42983181.460000] iptable_nat: disagrees about version of symbol ip_nat_seq_adjust
Nov 20 15:00:10 thizwall kernel: [42983181.460000] iptable_nat: Unknown symbol ip_nat_seq_adjust
Nov 20 15:00:10 thizwall kernel: [42983181.460000] iptable_nat: disagrees about version of symbol ip_nat_setup_info
Nov 20 15:00:10 thizwall kernel: [42983181.460000] iptable_nat: Unknown symbol ip_nat_setup_info
Nov 20 15:00:10 thizwall kernel: [42983181.460000] iptable_nat: disagrees about version of symbol ip_conntrack_untracked
Nov 20 15:00:10 thizwall kernel: [42983181.460000] iptable_nat: Unknown symbol ip_conntrack_untracked
Nov 20 15:00:10 thizwall kernel: [42983181.460000] iptable_nat: disagrees about version of symbol ip_nat_packet
Nov 20 15:00:10 thizwall kernel: [42983181.460000] iptable_nat: Unknown symbol ip_nat_packet
Nov 20 15:00:10 thizwall kernel: [42983181.460000] iptable_nat: disagrees about version of symbol ip_nat_icmp_reply_translation
Nov 20 15:00:10 thizwall kernel: [42983181.460000] iptable_nat: Unknown symbol ip_nat_icmp_reply_translation
Nov 20 15:00:10 thizwall kernel: [42983181.470000] iptable_nat: disagrees about version of symbol ip_nat_seq_adjust
Nov 20 15:00:10 thizwall kernel: [42983181.470000] iptable_nat: Unknown symbol ip_nat_seq_adjust
Nov 20 15:00:10 thizwall kernel: [42983181.470000] iptable_nat: disagrees about version of symbol ip_nat_setup_info
Nov 20 15:00:10 thizwall kernel: [42983181.470000] iptable_nat: Unknown symbol ip_nat_setup_info
Nov 20 15:00:10 thizwall kernel: [42983181.470000] iptable_nat: disagrees about version of symbol ip_conntrack_untracked
Nov 20 15:00:10 thizwall kernel: [42983181.470000] iptable_nat: Unknown symbol ip_conntrack_untracked
Nov 20 15:00:10 thizwall kernel: [42983181.470000] iptable_nat: disagrees about version of symbol ip_nat_packet
Nov 20 15:00:10 thizwall kernel: [42983181.470000] iptable_nat: Unknown symbol ip_nat_packet
Nov 20 15:00:10 thizwall kernel: [42983181.470000] iptable_nat: disagrees about version of symbol ip_nat_icmp_reply_translation
Nov 20 15:00:10 thizwall kernel: [42983181.470000] iptable_nat: Unknown symbol ip_nat_icmp_reply_translation
请大家帮忙看看是什么原因呢?很急~先谢谢大家了~
lovegqin 回复于:2006-11-23 13:14:19
可能是版本的问题
有时间我再看一下1.3.6的Makefile
shengchao.huang 回复于:2006-11-23 13:36:02
学习中,应该是某个块没有定义进去吧..
mack2050 回复于:2007-02-03 11:39:35
我用这个方法把IPTABLES升到了1.3.7,加上了IPP2P模块,不过在加TIME模块时报错,不知道是为什么?
study123 回复于:2008-08-28 14:32:58
我的os及所用软件包如下:red hat enterprise linux 4 kernel: 2.6.9-42.EL
kernel-2.6.9-42.EL.src.rpm
patch-o-matic-ng-20060706.tar.bz2
iptables-1.4.0-20080824.tar.bz2
netfilter-layer7-v2.1.tar.gz
按照步骤来做,前面都很正常,没有报错,但到编译安装iptables时,出错:
Unable to resolve dependency on linux/dccp.h, Try 'make clean'
make:***[linux/dccp.h] ...
请问有哪位高手能帮忙看一下是怎么回事啊?怎么解决?
|
