在Debian 上编译内核2.6.26.3加入Layer7模块

参考

http://blog.csdn.net/zubin006/archive/2008/08/27/2838739.aspx

向此作者致敬。

 

系统信息：
OS :         Debian

KERNEL：2.6.26.2

使用说明：
绿色加粗字体的绝大部分是输入的命令和系统输出显示的结果。

参考文章：
http://blog.csdn.net/zubin006/archive/2008/08/27/2838739.aspx


第一步，要下载和安装要用的工具及相关软件：

 root #apt-get install debhelper modutils kernel-package libncurses5-dev fakeroot root #apt-get install gcc g++ make 

注意：
因为Debian系统的内核编译跟Redhat有所不同，它在编译的时候会需要make-kpkg和fakeroot[可选]命令，因此需要安装以上的软件包才行！

第二步，下载并解开所需的源代码软件到相应的位置：

要编译内核并加入layer7模块，必须需要以下的软件的源代码：

• linux kernel source
• iptables source
• l7-filter patch
• l7-filter protocols

我选用的以上软件的版本如下：

• kernel：2.6.26.3
• iptables：1.4.3
• l7-filter patch：2.2
• l7-filter protocols：2009-05-28

同时，已经有的旧版本是

• kernel：2.6.26.2
• iptables：1.4.2

 

 

完整下载如下：

root # wget ftp://ftp.tw.kernel.org/pub/linux/kernel/v2.6/linux-2.6.26.3.tar.bz2
root # wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.3.tar.bz2
root # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.22.tar.gz
root # wget http://nchc.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2009-05-28.tar.gz

或者通过以下网站下载
   
   
The 2.4 or 2.6 Linux kernel source (2.6 strongly preferred) from kernel.org（http://kernel.org/）
The iptables source from netfilter.org（http://netfilter.org/）
Our "l7-filter kernel version（http://sourceforge.net/project/showfiles.php?group_id=80085）" package (netfilter-layer7-vX.Y.tar.gz)
Our "Protocol definitions（http://sourceforge.net/project/showfiles.php?group_id=80085）" package (l7-protocols-YYYY-MM-DD.tar.gz)
 

按我的习惯，将这些软件解压到：/usr/local/src/Layer7下面：

因为是编译新的内核，我习惯将编译内核的源代码放在/usr/src下面，并建一个新的目录kernels,
root #cd /usr/src
root #mkdir kernels
root #cd kernels


解开要用的软件包到 /usr/src/kernels下面：
root#tar -jxvf /usr/local/src/Layer7/linux-2.6.26.3.tar.bz2 
root#tar -zxvf /usr/local/src/Layer7/iptables-1.4.3.tar.gz
root#tar -zxvf /usr/local/src/Layer7/netfilter-layer7-v2.22.tar.gz
root#tar -zxvf /usr/local/src/Layer7/l7-protocols-2009-05-28.tar.gz 



第三步，将Layer7加入新的内核中并进行编译：

为了方便，做一个符号链接，并进入新内核源代码的目录：
root#ln -s linux-2.6.26.3 linux
root#cd linux


如果你要用延续使用旧版本内核中的模块中的功能，你要将/boot/config-kernel-version文件copy到当前的内核目录，并命名为.config
root#cp /boot/config-2.6.26-2-amd64 ./.config 


为内核源代码打上layer7的补丁：
root#patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch 
结果如下：
patching file net/netfilter/Kconfigpatching 
file net/netfilter/Makefilepatching 
file net/netfilter/xt_layer7.cpatching 
file net/netfilter/regexp/regexp.cpatching 
file net/netfilter/regexp/regexp.hpatching 
file net/netfilter/regexp/regmagic.hpatching file net/netfilter/regexp/regsub.cpatching 
file net/netfilter/nf_conntrack_core.cpatching 
file net/netfilter/nf_conntrack_standalone.cpatching 
file include/net/netfilter/nf_conntrack.hpatching 
file include/linux/netfilter/xt_layer7.h 


为内核选择layer7及相关的模块：
root #make menuconfig 

选项如下：
 General setup  --->
     [*] Prompt for development and/or incomplete code/drivers Networking  ---> 
      Networking options  --->
           [*] Network packet filtering framework (Netfilter)  --->
                    Core Netfilter Configuration  --->
                     <M> Netfilter connection tracking support
                     -*- Connection tracking flow accounting
                     -*- Connection mark tracking support
                     [*] Connection tracking security mark support
                     [*] Connection tracking events (EXPERIMENTAL)
                     <M> SCTP protocol connection tracking support (EXPERIMENTAL)
                     <M> UDP-Lite protocol connection tracking support (EXPERIMENTAL)
                     <M> Amanda backup protocol support
                     <M> FTP protocol support
                     <M> H.323 protocol support (EXPERIMENTAL)
                     <M> IRC protocol support
                     <M> NetBIOS name service protocol support (EXPERIMENTAL)
                     <M> PPtP protocol support
                     <M> SANE protocol support (EXPERIMENTAL)
                     <M> SIP protocol support (EXPERIMENTAL)
                     <M> TFTP protocol support
                     <M> Connection tracking netlink interface (EXPERIMENTAL)
                     {M} Netfilter Xtables support (required for ip_tables)
                     <M>   "CLASSIFY" target support
                     <M>   "CONNMARK" target support
                     <M>   "DSCP" target support
                     <M>   "MARK" target support
                     <M>   "NFQUEUE" target Support
                     <M>   "NFLOG" target support
                     <M>   "NOTRACK" target support
                     <M>   "TRACE" target support
                     <M>   "TRACE" target support
                     <M>   "SECMARK" target support
                     <M>   "CONNSECMARK" target support
                     <M>   "TCPMSS" target support
                     <M>   "comment" match support
                     <M>   "connbytes" per-connection counter match support
                     <M>   "connlimit" match support"
                     <M>   "connmark" connection mark match support
                     <M>   "conntrack" connection tracking match support
                     <M>   "DCCP" protocol match support
                     <M>   "DCCP" protocol match support
                     <M>   "DSCP" match support
                     <M>   "ESP" match support
                     <M>   "helper" match support
                     <M>   "length" match support
                     <M>   "limit" match support
                     <M>   "mac" address match support
                     <M>   "mark" match support
                     <M>   IPsec "policy" match support
                     <M>   Multiple port match support
                     <M>   "physdev" match support
                     <M>   "pkttype" packet type match support
                     <M>   "quota" match support
                     <M>   "realm" match support
                     <M>   "sctp" protocol match support (EXPERIMENTAL)
                     <M>   "state" match support 
                    <M>   "layer7" match support
                     [*]     Layer 7 debugging output
                     <M>   "statistic" match support
                     <M>   "string" match support
                     <M>   "tcpmss" match support 
                     <M>   "time" match support
                     <M>   "u32" match support
                     <M>   "hashlimit" match support
                 IP: Netfilter Configuration  ---> 
                    <M> IPv4 connection tracking support (required for NAT)
                     [*]   proc/sysctl compatibility with old connection tracking (NEW
                     <M> IP Userspace queueing via NETLINK (OBSOLETE)
                     <M> IP tables support (required for filtering/masq/NAT)
                     <M>   IP range match support
                     <M>   TOS match support
                     <M>   recent match support
                     <M>   ECN match support
                     <M>   AH match support
                     <M>   TTL match support
                     <M>   Owner match support
                     <M>   address type match support
                     <M>   Packet filtering
                     <M>     REJECT target support
                     <M>   LOG target support
                     <M>   ULOG target support
                     <M>   Full NAT (NEW)
                     <M>     MASQUERADE target support
                     <M>     REDIRECT target support
                     <M>     NETMAP target support
                     <M>     SAME target support (OBSOLETE)
                     <M>     Basic SNMP-ALG support (EXPERIMENTAL)

                     <M>   Packet mangling
                     <M>     TOS target support
  

注意，刚开始时，我一直找不到：<M> "layer7" match support 和 [*] Layer 7 debugging output 这两个模块，浪费了很多时间，后来发现是因为这两个模块是属于：<> Netfilter connection tracking support 这个模块，因此得先选择<M> Netfilter connection tracking support 这样下面才有Layer7及相关模块！
其中time模块就是可以通过iptables可以控制上网的时间等功能，就是时间控制的模块！

一步一步的"EXIT"后，会提示你是否保存刚才的选择更改结果，我们选“YES”！

注意：
按以往Redhat或者其它版本的编译过程就得用make及要关命令来进行编译，但是在这里，我们需要用到Debian的专门工具make-kpkg,我想这个工具也是基于make，只是经过加工以方便Debian用户使用吧，因为Debian的启动内核参数跟别的系统有所差异！本文刚开始提到的安装那些软件包

root#apt-get install debhelper modutils kernel-package libncurses5-dev fakeroot

就是为了这一步而做的！

清除源码树并复原 kernel-package 参数
root #make-kpkg clean

然后进行编译并生成.deb的包，以供安装时使用：
root#fakeroot make-kpkg --append_to_version -686 --initrd --revision=2.6.26.3 kernel_image modules_image
说明：fakeroot是切换到root用户环境，如果你现在当前用户不是root,你要用这个命令，否则这个命令可以省！
好像用make-kpkg这个命令在编译内核时比以往省了很多步骤！有空研究一下这东东！
同时在做这一步时需要花挺长时间进行编译工作以及后期的工作，看你的机器配置而异！普通机器 1.7G 128M内存，得需要2小时，因此你现在可以喝杯茶，去做别的事了...
--revision=2.6.26.3  这个参数是指定新内核的版本号
--append_to_version -686 这个参数是指定内核的子版本


哎，服务器[Intel(R) Xeon(R) CPU           E5506  @ 2.13GHz,4G]编译这一步，只花了40分钟，好电脑就是好啊！
编译完成后，在/usr/src/kernels下生成linux-image-2.6.26.3-686_2.6.26.3_amd64.deb文件，即在 linux新内核的上一级目录！

安装新的内核：

root #dpkg -i linux-image-2.6.26.3-686_2.6.26.3_amd64.deb

由于Debian现在采用grub2,所以不会再有/boot/grub/menu.lst文件。

我们查看/boot/grub/grub.cfg

### BEGIN /etc/grub.d/10_linux ### menuentry "Debian GNU/Linux, Linux 2.6.26.3-686" { insmod ext2 set root=(hd1,1) search --no-floppy --fs-uuid --set a5114f05-3638-425c-a7cd-2b464e57787e linux /boot/vmlinuz-2.6.26.3-686 root=UUID=a5114f05-3638-425c-a7cd-2b464e57787e ro quiet initrd /boot/initrd.img-2.6.26.3-686 } menuentry "Debian GNU/Linux, Linux 2.6.26-2-amd64" { insmod ext2 set root=(hd1,1) search --no-floppy --fs-uuid --set a5114f05-3638-425c-a7cd-2b464e57787e linux /boot/vmlinuz-2.6.26-2-amd64 root=UUID=a5114f05-3638-425c-a7cd-2b464e57787e ro quiet initrd /boot/initrd.img-2.6.26-2-amd64 } ### END /etc/grub.d/10_linux ###

 

这两条已经提到最前面，也就是说，如果我们没动这个文件的话，下次下机时，会去执行新的内核！


第四步，为iptables打补丁，并安装之

进入iptables源代码目录：
root#cd /usr/src/kernels/iptables-1.4.3
为源代码打上补丁，对于iptables版本高于1.4.1的，需要采用如下方法:
将补丁文件复制到extension里面

root $ cp ../netfilter-layer7-v2.22/iptables-1.4.3forward-for-kernel-2.6.20forward/* extensions

复制后，编译安装：

root #./configure --with-ksource=/usr/local/src/linux root #make root #make install

安装Layer7第七层协议协议定义文件：     /*TCP/IP第七层就是应用层，就是针对网络应用软件的设计，比如QQ,MSN等...
使用Layer模块时，请参考/etc/l7-protocols文件中的定义，各种协议，比如QQ,MSN的特征都在这个目下：

root #cd /usr/src/kernels/l7-protocols-2009-05-28/ root #make install

执行结果：
mkdir -p /etc/l7-protocols
cp -R * /etc/l7-protocols

看执行的结果就知道，它在做什么了！

这样新的内核都弄好了，iptables也装好了，就可以重新开机了！
重新开机后，就会执行新的内核和iptables,就可以测试它是否正常了！
#shutdown -r now


第五步，测试

先测试Kernel和iptables的版本是不是我们刚才编译的那个：
#uname -a Linux data 2.6.26.3-686 #1 SMP Sat Oct 9 16:54:23 CST 2010 x86_64 GNU/Linux2008 i686 GNU/Linux #iptables -V iptables v1.4.3

再测试iptables的layer7是否可用：
注意：新的iptables是在/usr/local/sbin/iptables
      旧的版本的iptalbes是在/sbin/iptables
所以要注意，我就是在这里出错了，同时在编译安装新版时，/usr/local/sbin这个比/sbin目录优先，但在写启动脚本时，要写完整路径时，要用/usr/local/sbin/iptables
# iptables -m layer7 --help # /usr/local/sbin/iptables -m layer7 --help

显示结果

iptables v1.4.3 Usage: iptables -[AD] chain rule-specification [options] iptables -I chain [rulenum] rule-specification [options] iptables -R chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -[LS] [chain [rulenum]] [options] iptables -[FZ] [chain] [options] iptables -[NX] chain iptables -E old-chain-name new-chain-name iptables -P chain target [options] iptables -h (print this help information) Commands: Either long or short options are allowed. --append -A chain Append to chain --delete -D chain Delete matching rule from chain --delete -D chain rulenum Delete rule rulenum (1 = first) from chain --insert -I chain [rulenum] Insert in chain as rulenum (default 1=first) --replace -R chain rulenum Replace rule rulenum (1 = first) in chain --list -L [chain [rulenum]] List the rules in a chain or all chains --list-rules -S [chain [rulenum]] Print the rules in a chain or all chains --flush -F [chain] Delete all rules in chain or all chains --zero -Z [chain] Zero counters in chain or all chains --new -N chain Create a new user-defined chain --delete-chain -X [chain] Delete a user-defined chain --policy -P chain target Change policy on chain to target --rename-chain -E old-chain new-chain Change chain name, (moving any references) Options: [!] --proto -p proto protocol: by number or name, eg. `tcp' [!] --source -s address[/mask] source specification [!] --destination -d address[/mask] destination specification [!] --in-interface -i input name[+] network interface name ([+] for wildcard) --jump -j target target for rule (may load target extension) --goto -g chain jump to chain with no return --match -m match extended match (may load extension) --numeric -n numeric output of addresses and ports [!] --out-interface -o output name[+] network interface name ([+] for wildcard) --table -t table table to manipulate (default: `filter') --verbose -v verbose mode --line-numbers print line numbers when listing --exact -x expand numbers (display exact values) [!] --fragment -f match second or further fragments only --modprobe=<command> try to insert modules using this command --set-counters PKTS BYTES set the counter during insert/append [!] --version -V print package version. layer7 match options: --l7dir <directory> : Look for patterns here instead of /etc/l7-protocols/ (--l7dir must be specified before --l7proto if used) [!] --l7proto <name>: Match named protocol using /etc/l7-protocols/.../name.pat
还没增加layer7模块前的情况如下：
#iptables -m layer7 --help iptables v1.3.6: Couldn't load match `layer7':/lib/iptables/libipt_layer7.so: cannot open shared object file: No such file or directory Try `iptables -h' or 'iptables --help' for more information.

说明一切正常。
这时再测试一下能不能挡MSN和QQ[我们以这台机器为router为例，挡经过这个路由器的MSN和QQ封包]:

MSN,QQ & bt:

# iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止msn)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt)
# iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通讯)

看一下结果：
# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            LAYER7 l7proto bittorrent
DROP       all  --  anywhere             anywhere            LAYER7 l7proto qq
DROP       all  --  anywhere             anywhere            LAYER7 l7proto msnmessenger

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination


再尝试一下登录一下你的MSN,QQ以及BT软件，如果不能上线，恭喜你，成功了...


 

参考iptables实例： 使用iptables layer-7 filter： # iptables -t mangle -I PREROUTING -m layer7 --l7proto edonkey -j DROP (禁止edonkey) # iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP (禁止bt) # iptables -t mangle -I PREROUTING -m layer7 --l7proto qq -j DROP (禁止QQ通讯) # iptables -t mangle -I PREROUTING -m layer7 --l7proto msnmessenger -j DROP (禁止edonkey) # iptables -t mangle -I PREROUTING -m layer7 --l7proto xunlei -j DROP (禁止迅雷) # iptables -t mangle -I PREROUTING -m layer7 --l7proto kugoo -j DROP (禁止kugoo) # iptables -t mangle -I PREROUTING -m layer7 --l7proto yahoo -j DROP (禁止Yahoo! Messenger)
补充：

一，如果在log文件中看到以下信息：
ip_tables: (C) 2000-2006 Netfilter Core Team
Aug 23 11:36:58 router kernel: nf_conntrack version 0.5.0 (12288 buckets, 49152 max)
Aug 23 11:37:02 router kernel: eth0: no IPv6 routers present
Aug 23 11:37:03 router kernel: eth1: no IPv6 routers present
Aug 23 11:42:33 router kernel: About to compile this: "^(ymsg|ypns|yhoo).?.?.?.?.?.?.?[lwt].*À/200"
Aug 23 11:42:33 router kernel: About to compile this: "^(ver [ -~]*msnftp^M
Aug 23 11:42:33 router kernel: ver msnftp^M
Aug 23 11:42:33 router kernel: usr|method msnmsgr:)"
Aug 23 11:42:33 router kernel: About to compile this: "ver [0-9]+ msnp[1-9][0-9]? [^I-^M -~]*cvr0^M
Aug 23 11:42:33 router kernel: $|usr 1 [!-~]+ [0-9. ]+^M
Aug 23 11:42:33 router kernel: $|ans 1 [!-~]+ [0-9. ]+^M
Aug 23 11:42:33 router kernel: $"
Aug 23 11:42:33 router kernel: About to compile this: "^[()]...?.?.?(reg|get|query)"
Aug 23 11:42:33 router kernel: About to compile this: "^(1../216|d.+tgp7)"
Aug 23 11:42:33 router kernel: About to compile this: "^.?^B.+^C$"
Aug 23 11:54:42 router kernel: About to compile this: "^(^Sbittorrent protocol|azver^A$|get /scrape/?info_hash=)|d1:ad2:id20:|^H'7p/)[rp]"

请不要在意思，因为这些信息是告诉你，iptables在过滤你所要求的操作在内核中已经启动生效，比如过滤yahoo等...一般是执行 iptables后产生的！

二，同时，如果出现以下的信息：
Aug 23 14:13:19 router kernel: layer7: couldn't get conntrack.
则说明layer7功能早于ipforward命令前执行，请将：
/usr/local/sbin/iptables -t mangle -I PREROUTING -m layer7 --l7proto bittorrent -j DROP
这类命令放在：
/usr/local/sbin/iptables -A POSTROUTING -t nat -s 192.168.0.0/255.255.255.0 -o eth1 -j MASQUERADE
之后！