编译iptables的扩展
网上都说要下载patch-o-matic,还要编译内核,哪有这么麻烦呀。因为我看iptables的man和运行iptables命令,似乎只要把相 应的.so文档编译出来就行了。在iptables的extensions目录里就有诸如connrate之类的东东,但默认是不编译的。能够这样:
比如要增加connrate扩展,修改extensions目录下的Makefile,复制patch-o-matic-ng里的相应文档到/usr/lib/linux/netfilter_ipv4下。编译好后,把.so复制到/lib/iptables就能够了。
编译iptables的扩展
网上都说要下载patch-o-matic,还要编译内核,哪有这么麻烦呀。因为我看iptables的man和运行iptables命令,似乎只要把相应的.so文档编译出来就行了。在iptables的extensions目录里就有诸如connrate之类的东东,但默认是不编译的。能够这样:
比如要增加connrate扩展,修改extensions目录下的Makefile,把
PF_EXT_SLIB:=ah connlimit connmark conntrack dscp ecn esp helper icmp iprange length limit mac mark multiport owner physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
改成
PF_EXT_SLIB:=ah connlimit connmark connrate conntrack dscp ecn esp helper icmp iprange length limit mac mark multiport owner physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
然后再make,
[qq@fc3 iptables-1.2.11]$ make
Making dependencies: please wait...
Something wrong... deleting dependencies.
Please try `make KERNEL_DIR=path-to-correct-kernel'.
make: *** [linux/netfilter_ipv4/ipt_connrate.h] 错误 1
我有两个patch,patch-o-matic-ng-20040621.tar.bz2 和patch-o-matic-ng-20050314.tar.bz2,前者我解开看有2.6.7等字样,我怕和我的2.6.9的不合,就用后者,解开后,复制其中的文档,
[root@fc3 netfilter_ipv4]# cp ipt_connrate.h /usr/include/linux/netfilter_ipv4
再make,这次成功了,
[qq@fc3 extensions]$ ls |grep rate
libipt_connrate.c
libipt_connrate.d
libipt_connrate.man
libipt_connrate_sh.o
libipt_connrate.so
然后su成root,
[root@fc3 extensions]# cp libipt_connrate.so /lib/iptables/
试一下,
[root@fc3 qq]# /sbin/iptables -A INPUT -s 192.168.0.30 -m connrate --connrate 100000:150000 -j ACCEPT
iptables: No chain/target/match by that name
为什么?man一下,
connrate
This module matches the current transfer rate in a connection.
--connrate [!] [from]:[to]
Match against the current connection transfer rate being within
’from’ and ’to’ bytes per second. When the "!" argument is used
before the range, the sense of the match is inverted.
阅读(681) | 评论(0) | 转发(0) |