易网时代-编程资源站
Welcome
微信登录
首页
/
操作系统
/
Linux
/
在Debian 上编译内核2.6.26.3加入Layer7模块
系统信息:
OS
: Debian
KERNEL:
2.6.26.2
使用说明:
绿色加粗字体的绝大部分是输入的命令和系统输出显示的结果。
参考文章:
http://www.linuxidc.com/Linux/2011-06/37842.htm
第一步,要下载和安装要用的工具及相关软件:
root #apt-get install debhelper modutils kernel-package libncurses5-dev fakeroot
root #apt-get install gcc g++ make
注意:
因为Debian系统的内核编译跟RedHat有所不同,它在编译的时候会需要make-kpkg和fakeroot[可选]命令,因此需要安装以上的软件包才行!
第二步,下载并解开所需的源代码软件到相应的位置:
要编译内核并加入layer7模块,必须需要以下的软件的源代码:
linux kernel source
iptables source
l7-filter patch
l7-filter protocols
我选用的以上软件的版本如下:
kernel:2.6.26.3
iptables:1.4.3
l7-filter patch:2.2
l7-filter protocols:2009-05-28
同时,已经有的旧版本是
kernel:2.6.26.2
iptables:1.4.2
完整下载如下:
root # wget ftp:
//ftp.tw.kernel.org/pub/linux/kernel/v2.6/linux-2.6.26.3.tar.bz2
root # wget ftp:
//ftp.netfilter.org/pub/iptables/iptables-1.4.3.tar.bz2
root # wget http:
//nchc.dl.sourceforge.net/sourceforge/l7-filter/netfilter-layer7-v2.22.tar.gz
root # wget http:
//nchc.dl.sourceforge.net/sourceforge/l7-filter/l7-protocols-2009-05-28.tar.gz
或者通过以下网站下载
The 2.4 or 2.6 Linux kernel source (2.6 strongly preferred) from
kernel.org
(http://kernel.org/)
The iptables source from
netfilter.org
(http://netfilter.org/)
Our "
l7-filter kernel version
(http://sourceforge.net/project/showfiles.php?group_id=80085)
" package (netfilter-layer7-vX.Y.tar.gz)
Our "
Protocol definitions
(http://sourceforge.net/project/showfiles.php?group_id=80085)
" package (l7-protocols-YYYY-MM-DD.tar.gz)
按我的习惯,将这些软件解压到:/usr/local/src/Layer7下面:
因为是编译新的内核,我习惯将编译内核的源代码放在/usr/src下面,并建一个新的目录kernels,
root #cd /usr/src
root #mkdir kernels
root #cd kernels
解开要用的软件包到 /usr/src/kernels下面:
root#tar -jxvf /usr/local/src/Layer7/linux-2.6.26.3.tar.bz2
root#tar -zxvf /usr/local/src/Layer7/iptables-1.4.3.tar.gz
root#tar -zxvf /usr/local/src/Layer7/netfilter-layer7-v2.22.tar.gz
root#tar -zxvf /usr/local/src/Layer7/l7-protocols-2009-05-28.tar.gz
第三步,将Layer7加入新的内核中并进行编译:
为了方便,做一个符号链接,并进入新内核源代码的目录:
root#ln -s linux-2.6.26.3 linux
root#cd linux
如果你要用延续使用旧版本内核中的模块中的功能,你要将/boot/config-kernel-version文件copy到当前的内核目录,并命名为.config
root#cp /boot/config-2.6.26-2-amd64 ./.config
为内核源代码打上layer7的补丁:
root#patch -p1 < ../netfilter-layer7-v2.22/kernel-2.6.25-2.6.28-layer7-2.22.patch
结果如下:
patching file net/netfilter/Kconfigpatching
file net/netfilter/Makefilepatching
file net/netfilter/xt_layer7.cpatching
file net/netfilter/regexp/regexp.cpatching
file net/netfilter/regexp/regexp.hpatching
file net/netfilter/regexp/regmagic.hpatching file net/netfilter/regexp/regsub.cpatching
file net/netfilter/nf_conntrack_core.cpatching
file net/netfilter/nf_conntrack_standalone.cpatching
file include/net/netfilter/nf_conntrack.hpatching
file include/linux/netfilter/xt_layer7.h
为内核选择layer7及相关的模块:
root #make menuconfig
选项如下:
General setup --->
[*] Prompt
for
development and/or incomplete code/drivers Networking --->
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration --->
<M> Netfilter connection tracking support
-*- Connection tracking flow accounting
-*- Connection mark tracking support
[*] Connection tracking security mark support
[*] Connection tracking events (EXPERIMENTAL)
<M> SCTP protocol connection tracking support (EXPERIMENTAL)
<M> UDP-Lite protocol connection tracking support (EXPERIMENTAL)
<M> Amanda backup protocol support
<M> FTP protocol support
<M> H.323 protocol support (EXPERIMENTAL)
<M> IRC protocol support
<M> NetBIOS name service protocol support (EXPERIMENTAL)
<M> PPtP protocol support
<M> SANE protocol support (EXPERIMENTAL)
<M> SIP protocol support (EXPERIMENTAL)
<M> TFTP protocol support
<M> Connection tracking netlink interface (EXPERIMENTAL)
{M} Netfilter Xtables support (required
for
ip_tables)
<M>
"CLASSIFY"
target support
<M>
"CONNMARK"
target support
<M>
"DSCP"
target support
<M>
"MARK"
target support
<M>
"NFQUEUE"
target Support
<M>
"NFLOG"
target support
<M>
"NOTRACK"
target support
<M>
"TRACE"
target support
<M>
"TRACE"
target support
<M>
"SECMARK"
target support
<M>
"CONNSECMARK"
target support
<M>
"TCPMSS"
target support
<M>
"comment"
match support
<M>
"connbytes"
per-connection counter match support
<M>
"connlimit"
match support"
<M>
"connmark"
connection mark match support
<M>
"conntrack"
connection tracking match support
<M>
"DCCP"
protocol match support
<M>
"DCCP"
protocol match support
<M>
"DSCP"
match support
<M>
"ESP"
match support
<M>
"helper"
match support
<M>
"length"
match support
<M>
"limit"
match support
<M>
"mac"
address match support
<M>
"mark"
match support
<M> IPsec
"policy"
match support
<M> Multiple port match support
<M>
"physdev"
match support
<M>
"pkttype"
packet type match support
<M>
"quota"
match support
<M>
"realm"
match support
<M>
"sctp"
protocol match support (EXPERIMENTAL)
<M>
"state"
match support
<M>
"layer7"
match support
[*] Layer 7 debugging output
<M>
"statistic"
match support
<M>
"string"
match support
<M>
"tcpmss"
match support
<M>
"time"
match support
<M>
"u32"
match support
<M>
"hashlimit"
match support
IP: Netfilter Configuration --->
<M> IPv4 connection tracking support (required
for
NAT)
[*] proc/sysctl compatibility with old connection tracking (NEW
<M> IP Userspace queueing via NETLINK (OBSOLETE)
<M> IP tables support (required
for
filtering/masq/NAT)
<M> IP range match support
<M> TOS match support
<M> recent match support
<M> ECN match support
<M> AH match support
<M> TTL match support
<M> Owner match support
<M> address type match support
<M> Packet filtering
<M> REJECT target support
<M> LOG target support
<M> ULOG target support
<M> Full NAT (NEW)
<M> MASQUERADE target support
<M> REDIRECT target support
<M> NETMAP target support
<M> SAME target support (OBSOLETE)
<M> Basic SNMP-ALG support (EXPERIMENTAL)
<M> Packet mangling
<M> TOS target support
注意,刚开始时,我一直找不到:
<M> "layer7" match support
和 [*] Layer 7 debugging output 这两个模块,浪费了很多时间,后来发现是因为这两个模块是属于:<> Netfilter connection tracking support 这个模块,因此得先选择<M> Netfilter connection tracking support 这样下面才有Layer7及相关模块!
其中time模块就是可以通过iptables可以控制上网的时间等功能,就是时间控制的模块!
版权所有©石家庄振强科技有限公司2024
冀ICP备08103738号-5
网站地图
易网时代-编程资源站
易网时代-编程资源站