不编译内核加载connlimit模块

前言

RHEL 5 的 kernel rpm 包并不包含完整的 source code ，所以按照以前版本的编译方法是不能成功的。根据 fedora 的 release notes 的说明，需要增加新的模块的时候，只需要新建一个 Makefile ，然后 make 这个模块就好了（ RHEL 5 的 release notes 应该也有提到，但我没有查证）（ fedora 5 的 release notes ： [url]http://docs.fedoraproject.org/release-notes/fc5/release-notes-ISO/#id3098172[/url] ）。

系统环境和相关软件包

操作系统： Red Hat Enterprise Linux Server release 5 (Tikanga)

内核源码路径： /usr/src/kernels/ 2.6.18 -8.el5-i686

iptables- 1.4.0 .tar.bz2                         # 下载点： [url]www.netfilter.org[/url] ——其实我们仅需要他的源码而已。

patch-o-matic-ng-20080214.tar.bz2        # 下载点： [url]www.kernel.org[/url] ——我 down 的是最新的包。

 

编译过程

获取安装包并解压（/root目录内）

#wget [url]ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080214.tar.bz2[/url]

#wget [url]ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2[/url]

#tar xjf iptables- 1.4.0 .tar.bz2

#tar xjf patch-o-matic-ng-20080214.tar.bz2

#cd /root/patch-o-matic-ng-20080214

下载connlimit模块

#export�KERNEL_DIR=/usr/src/kernels/ 2.6.18 -8.el5-i686/  #export�IPTABLES_DIR=/root/iptables-1.4.0 #./runme --download Successfully downloaded external patch geoip Successfully downloaded external patch condition Successfully downloaded external patch IPMARK Successfully downloaded external patch ROUTE Successfully downloaded external patch connlimit Successfully downloaded external patch ipp2p Successfully downloaded external patch time ./patchlets/ipv4options exists and is not external ./patchlets/TARPIT exists and is not external Successfully downloaded external patch ACCOUNT Successfully downloaded external patch pknock Loading patchlet definitions......................... done     Excellent! Source trees are ready for compilation.

应用connlimit补丁到内核

#export KERNEL_DIR=/usr/src/kernels/ 2.6.18 -8.el5-i686/  #export IPTABLES_DIR=/root/iptables- 1.4.0 #./runme connlimit Loading patchlet definitions......................... done Welcome to Patch-o-matic ($Revision: 6736 $)!   Kernel:   2.6.18 , /usr/src/kernels/2.6.18-8.el5-i686/ Iptables: 1.4.0 , /root/iptables-1.4.0 Each patch is a new feature: many have minimal impact, some do not. Almost every one has bugs, so don't apply what you don't need! ------------------------------------------------------- Already applied: Testing connlimit... not applied The connlimit patch:    Author: Gerd Knorr <[email protected]>    Status: ItWorksForMe[tm]   This adds an iptables match which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).   Examples:   # allow 2 telnet connections per client host iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT   # you can also match the other way around: iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT   # limit the nr of parallel http requests to 16 per class C sized # network (24 bit netmask) iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \         --connlimit-mask 24 -j REJECT ----------------------------------------------------------------- Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y   Excellent! Source trees are ready for compilation.

 

开始编译模块

#cd /usr/src/kernels/ 2.6.18 -8.el5-i686

#make oldconfig

[root@connlimit 2.6.18 -8.el5-i686]# make oldconfig   HOSTCC  scripts/kconfig/conf.o   HOSTCC  scripts/kconfig/kxgettext.o   HOSTCC  scripts/kconfig/mconf.o   HOSTCC  scripts/kconfig/zconf.tab.o   HOSTLD  scripts/kconfig/conf scripts/kconfig/conf -o arch/i386/Kconfig * * Linux Kernel Configuration * * * Code maturity level options * Prompt for development and/or incomplete code/drivers (EXPERIMENTAL) [Y/n/?] y …………………………………………………………………………………………………………                                  省略大量输出 ………………………………………………………………………………………………………… *    ARP tables support (IP_NF_ARPTABLES) [M/n/?] m       ARP packet filtering (IP_NF_ARPFILTER) [M/n/?] m       ARP payload mangling (IP_NF_ARP_MANGLE) [M/n/?] m     Connections/IP limit match support (IP_NF_MATCH_CONNLIMIT) [N/m/?] (NEW) m     *     * IPv6: Netfilter Configuration (EXPERIMENTAL)     *     IP6 Userspace queueing via NETLINK (OBSOLETE) (IP6_NF_QUEUE) [M/n/?] m …………………………………………………………………………………………………………                                  省略大量输出 …………………………………………………………………………………………………………   * General setup * # # configuration written to .config #

 

提示新加入了 connlimit 的选项，问是否需要编译进入内核的时候，输入 “m” ，编译为模块。

#make modules_prepare      #### 这步是干吗的？？？我不知道，也没有细究，老实执行了。

#mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.orig      #### 备份原来的 Makefile ，里面包含了原始的编译信息，直接编译会无法通过。

创建新的 Makefile

#vi net/ipv4/netfilter/Makefile

 

obj-m := ipt_connlimit.o   KDIR  := /lib/modules/$(shell uname -r)/build PWD   := $(shell pwd)   default:     $(MAKE) -C $(KDIR) M=$(PWD) modules

然后编译该模块：

#make M=net/ipv4/netfilter/

[root@connlimit 2.6.18 -8.el5-i686]# make M=net/ipv4/netfilter/   LD      net/ipv4/netfilter/built-in.o   CC [M]  net/ipv4/netfilter/ipt_connlimit.o   Building modules, stage 2.   MODPOST   CC      net/ipv4/netfilter/ipt_connlimit.mod.o   LD [M]  net/ipv4/netfilter/ipt_connlimit.ko

将生成的 ko 模块 copy 到目标地址，并设置权限

#cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/ 2.6.18 -8.el5/kernel/net/ipv4/netfilter/ #chmod 744 /lib/modules/ 2.6.18 -8.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko

到这里，模块编译完成。

测试并应用新的模块

用 depmod –a 测试 connlimit 模块是否兼容

# depmod –a

加载 connlimit 模块

#modprobe ipt_connlimit

查看是否加载成功

[root@connlimit 2.6.18 -8.el5-i686]# lsmod |grep ip ipt_connlimit           7680  0 ip_conntrack           53153  1 ipt_connlimit nfnetlink              10713  1 ip_conntrack ipv6                  251137  12 ipt_REJECT              9537  0 x_tables               17349  3 ipt_connlimit,ipt_REJECT,xt_tcpudp

OK ，模块已经可以正常使用了

下面测试一下：

应用规则：

1．              任何一个 IP 对 80 端口的访问无法超过 32 个连接

#iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 32 -j REJECT

2．              保护 WEB ，防止太多连接

# iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 32 -j DROP

查看策略是否应用成功

[root@connlimit 2.6.18 -8.el5-i686]# iptables -L -n