centos 安装L7-filter内核版

参考官方网站L7-filter Kernel Version HOWTO 
1. 查看当前系统的内核版本

# uname -a

2. 根据l7filter的内核版兼容列表(http://l7-filter.sourceforge.net/kernelcompat, 从中选择 patch applies/kernel compiles/actually work/均为yes的内核版本),下载你要从新编译的内核版本 kernel.org
我选择的是:linux-2.6.28.tar.gz, 并解压到/usr/src/kernels/
3. 下载iptables, iptables-1.4.12.2.tar.bz2

下载"l7-filter kernel version" package, netfilter-layer7-v2.22.tar.gz
下载"Protocol definitions" package, l7-protocols-2009-05-28.tar.gz
4. 内核patch
解压netfilter-layer7-v2.22.tar.gz, 读Readme, 然后将kernel-2.6.25-2.6.28-layer7-2.22.patch
复制到/usr/src/kernels/linux-2.6.28, 建议看下README
patch内核:

[root@localhost linux-2.6.28]# patch -p1 < kernel-2.6.25-2.6.28-layer7-2.22.patch
patching file net/netfilter/Kconfig
patching file net/netfilter/Makefile
patching file net/netfilter/xt_layer7.c
patching file net/netfilter/regexp/regexp.c
patching file net/netfilter/regexp/regexp.h
patching file net/netfilter/regexp/regmagic.h
patching file net/netfilter/regexp/regsub.c
patching file net/netfilter/nf_conntrack_core.c
patching file net/netfilter/nf_conntrack_standalone.c
patching file include/net/netfilter/nf_conntrack.h
patching file include/linux/netfilter/xt_layer7.h

5. 重新编译内核.
1) 把原来编译产生的垃圾删除

# make mrproper
# make: gcc: Command not found

安装gcc

# yum install gcc

2) 内核配置, 使用基于文本选单的配置界面

[root@localhost linux-2.6.28]# make menuconfig
HOSTCC scripts/basic/fixdep
HOSTCC scripts/basic/docproc
HOSTCC scripts/basic/hash
HOSTCC scripts/kconfig/conf.o
HOSTCC scripts/kconfig/kxgettext.o
*** Unable to find the ncurses libraries or the
*** required header files.
*** 'make menuconfig' requires the ncurses libraries.
*** 
*** Install ncurses (ncurses-devel) and try again.
*** 
make[2]: *** [scripts/kconfig/dochecklxdialog] Error 1
make[1]: *** [menuconfig] Error 2
make: *** [sub-make] Error 2

需要安装ncurses-devel

# yum install ncurses-devel

再试:

[root@localhost linux-2.6.28]# make menuconfig
  HOSTCC  scripts/kconfig/lxdialog/checklist.o
  HOSTCC  scripts/kconfig/lxdialog/inputbox.o
  HOSTCC  scripts/kconfig/lxdialog/menubox.o
  HOSTCC  scripts/kconfig/lxdialog/textbox.o
  HOSTCC  scripts/kconfig/lxdialog/util.o
  HOSTCC  scripts/kconfig/lxdialog/yesno.o
  HOSTCC  scripts/kconfig/mconf.o
  HOSTLD  scripts/kconfig/mconf
scripts/kconfig/mconf arch/x86/Kconfig
#
# using defaults found in /boot/config-2.6.18-194.el5
#
/boot/config-2.6.18-194.el5:1424:warning: symbol value 'm' invalid for FIXED_PHY
/boot/config-2.6.18-194.el5:1731:warning: symbol value 'm' invalid for ISDN
/boot/config-2.6.18-194.el5:2865:warning: symbol value 'm' invalid for RTC_INTF_SYSFS
/boot/config-2.6.18-194.el5:2866:warning: symbol value 'm' invalid for RTC_INTF_PROC
/boot/config-2.6.18-194.el5:2867:warning: symbol value 'm' invalid for RTC_INTF_DEV
/boot/config-2.6.18-194.el5:2889:warning: symbol value 'm' invalid for DMA_ENGINE
#
# configuration written to .config
#


*** End of Linux kernel configuration.
*** Execute 'make' to build the kernel or try 'make help'.

确保下列选项选中

· "Prompt for development and/or incomplete code/drivers" (under "Code maturity level options") [under "General setup", and has been already selected as built-in] · "Network packet filtering framework" (Networking → Networking support → Networking Options) [Networking support → Networking Options, has been already selected as built-in] · "Netfilter Xtables support" (on the same screen) [found at Core Netfilter Configuration. required for ip_tables] · "Netfilter connection tracking support" (... → Network packet filtering framework → Core Netfilter Configuration), select "Layer 3 Independent Connection tracking" · "Connection tracking flow accounting" (on the same screen) · And finally, "Layer 7 match support" · Optional but highly recommended: Lots of other Netfilter options, notably "FTP support" and other matches. If you don't know what you're doing, go ahead and enable all of them.

4) 确保关键文件在正确的位置(2.5.*-2.6.0都不需要了.)

[root@localhost linux-2.6.28]# make dep
scripts/kconfig/conf -s arch/x86/Kconfig
*** Warning: make dep is unnecessary now.

5) 确保所有有关文件都处于最新版本状态

[root@localhost linux-2.6.28]# make clean

6) 编译压缩形式的内核, 编译的时间与机器的硬件条件及内核的配置等因素有关，所获得的内核的位置在/usr/src/linux/arch/i386/boot目录下，当然这里假设用户的CPU是x86型的。

[root@localhost linux-2.6.28]# make bzImage
  CHK     include/linux/version.h
  UPD     include/linux/version.h
  CHK     include/linux/utsrelease.h
  UPD     include/linux/utsrelease.h
  SYMLINK include/asm -> include/asm-x86
  HOSTCC  scripts/basic/fixdep
  ...(省略)
  OBJCOPY arch/x86/boot/setup.bin
  OBJCOPY arch/x86/boot/vmlinux.bin
  HOSTCC  arch/x86/boot/tools/build
  BUILD   arch/x86/boot/bzImage
Root device is (253, 0)
Setup is 12568 bytes (padded to 12800 bytes).
System is 2041 kB
CRC 17403515
Kernel: arch/x86/boot/bzImage is ready  (#1)

7) 编译选择的模块

[root@localhost linux-2.6.28]# make modules
  CHK     include/linux/version.h
  CHK     include/linux/utsrelease.h
  SYMLINK include/asm -> include/asm-x86
  CALL    scripts/checksyscalls.sh
  ...(省略)
  IHEX2FW firmware/keyspan_pda/xircom_pgs.fw
  H16TOFW firmware/vicam/firmware.fw
  IHEX    firmware/cpia2/stv0672_vp4.bin

8) 将编译后的模块转移到系统标准位置

[root@localhost linux-2.6.28]# make modules_prepare
  CHK     include/linux/version.h
  CHK     include/linux/utsrelease.h
  SYMLINK include/asm -> include/asm-x86
  CALL    scripts/checksyscalls.sh
[root@localhost linux-2.6.28]# make modules_install
  INSTALL arch/x86/crypto/aes-i586.ko
  INSTALL arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.ko
  INSTALL arch/x86/kernel/cpu/cpufreq/p4-clockmod.ko
  INSTALL arch/x86/kernel/cpu/cpufreq/powernow-k8.ko
  INSTALL arch/x86/kernel/cpu/cpufreq/speedstep-centrino.ko
  INSTALL arch/x86/kernel/cpuid.ko
  ...(省略)
  MKDIR   /lib/firmware/cpia2
  INSTALL /lib/firmware/cpia2/stv0672_vp4.bin
  DEPMOD  2.6.28

9) 最后一步: 安装内核

[root@localhost linux-2.6.28]# make install
sh /usr/src/kernels/linux-2.6.28/arch/x86/boot/install.sh 2.6.28 arch/x86/boot/bzImage System.map "/boot"

重启后,可查看内核版本: $ uname -a.(注意启动时选择内核版本)或修改配置文件

以上编译内核的过程,参考: http://blog.csdn.net/zhoujunyi/article/details/1744937

6. 安装Iptables

从netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward中拷贝libxt_layer7.c和libxt_layer7.man文件到iptables-1.4.12.2/extensions.

$ ./configure --with-ksource=[/path/to/patched/kernel_source, 如我的是/usr/src/kernels/linux-2.6.28/] (use the full path)
$ make
# make install (as root)

make处报错.

libxt_layer7.c:25:39: warning: linux/netfilter/xt_layer7.h: No such file or directory
libxt_layer7.c:48: warning: ‘struct xt_layer7_info’ declared inside parameter list
libxt_layer7.c:48: warning: its scope is only this definition or declaration, which is probably not what you want
libxt_layer7.c: In function ‘parse_protocol_file’:
libxt_layer7.c:92: error: ‘MAX_PROTOCOL_LEN’ undeclared (first use in this function)
libxt_layer7.c:92: error: (Each undeclared identifier is reported only once
libxt_layer7.c:92: error: for each function it appears in.)
libxt_layer7.c:95: error: dereferencing pointer to incomplete type
libxt_layer7.c:101: error: ‘MAX_PATTERN_LEN’ undeclared (first use in this function)
libxt_layer7.c:103: error: dereferencing pointer to incomplete type
libxt_layer7.c: At top level:
libxt_layer7.c:249: warning: ‘struct xt_layer7_info’ declared inside parameter list
libxt_layer7.c: In function ‘parse_layer7_protocol’:
libxt_layer7.c:270: warning: passing argument 3 of ‘parse_protocol_file’ from incompatible pointer type
libxt_layer7.c:284: error: dereferencing pointer to incomplete type
libxt_layer7.c:284: error: dereferencing pointer to incomplete type
libxt_layer7.c:284: error: ‘MAX_PATTERN_LEN’ undeclared (first use in this function)
libxt_layer7.c: In function ‘parse’:
libxt_layer7.c:296: warning: passing argument 2 of ‘parse_layer7_protocol’ from incompatible pointer type
libxt_layer7.c:298: error: dereferencing pointer to incomplete type
libxt_layer7.c: In function ‘print’:
libxt_layer7.c:339: error: dereferencing pointer to incomplete type
libxt_layer7.c:340: error: dereferencing pointer to incomplete type
libxt_layer7.c: In function ‘save’:
libxt_layer7.c:348: error: dereferencing pointer to incomplete type
libxt_layer7.c:348: error: dereferencing pointer to incomplete type
libxt_layer7.c: At top level:
libxt_layer7.c:355: error: invalid application of ‘sizeof’ to incomplete type ‘struct xt_layer7_info’ 
libxt_layer7.c:355: error: invalid application of ‘sizeof’ to incomplete type ‘struct xt_layer7_info’ 
libxt_layer7.c:355: error: invalid application of ‘sizeof’ to incomplete type ‘struct xt_layer7_info’ 
libxt_layer7.c:356: error: invalid application of ‘sizeof’ to incomplete type ‘struct xt_layer7_info’ 
libxt_layer7.c:356: error: invalid application of ‘sizeof’ to incomplete type ‘struct xt_layer7_info’ 
libxt_layer7.c:356: error: invalid application of ‘sizeof’ to incomplete type ‘struct xt_layer7_info’ 
make[2]: *** [libxt_layer7.oo] Error 1
make[2]: Leaving directory `/home/loong/Desktop/src/iptables-1.4.12.2/extensions'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/loong/Desktop/src/iptables-1.4.12.2'
make: *** [all] Error 2

缺少xt_layer7.h头文件. 网上搜索xt_layer7.h文件, 找到: http://svn.dd-wrt.com/browser/src/linux/pb42/linux-2.6.34.6/include/linux/netfilter/xt_layer7.h?rev=15345

直接在iptables-1.4.12.2/include/linux/netfilter/新建xt_layer7.h, 内容如下

#ifndef _XT_LAYER7_H
#define _XT_LAYER7_H

#define MAX_PATTERN_LEN 8192
#define MAX_PROTOCOL_LEN 256

struct xt_layer7_info {
    char protocol[MAX_PROTOCOL_LEN];
    char invert:1;
    char pattern[MAX_PATTERN_LEN];
    char pkt;
};

#endif /* _XT_LAYER7_H */

然后再make, 即可. 换成root权限, make install.

 

链接iptables到新的/usr/local/sbin/iptables

[root@localhost iptables-1.4.12.2]# cd /sbin/
[root@localhost sbin]# mv iptables iptables.old
[root@localhost sbin]# mv iptables-save iptables-save.old
[root@localhost sbin]# mv iptables-restore iptables-restore.old
[root@localhost sbin]# ln -s /usr/local/sbin/iptables iptables
[root@localhost sbin]# ln -s /usr/local/sbin/iptables-save iptables-save
[root@localhost sbin]# ln -s /usr/local/sbin/iptables-restore iptables-restore
[root@localhost sbin]# iptables -V
iptables v1.4.12.2

ok.