编译iptables的扩展
网上都说要下载patch-o-matic,还要编译内核,哪有这么麻烦呀。因为我看iptables的man和运行iptables命令,似乎只要把相应的.so文件编译出来就行了。在iptables的extensions目录里就有诸如connrate之类的东东,但默认是不编译的。可以这样:
比如要增加connrate扩展,修改extensions目录下的Makefile,把
PF_EXT_SLIB:=ahconnlimit connmark conntrack dscp ecn esp helper icmp iprange lengthlimit mac mark multiport owner physdev pkttype realm rpc sctp standardstate tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECNLOG MARK MASQUERADE MIRROR NETMAP NOTRACK REDIRECT REJECT SAME SNATTARPIT TCPMSS TOS TRACE TTL ULOG
改成
PF_EXT_SLIB:=ah connlimitconnmark connrate conntrack dscp ecn esp helper icmp iprange lengthlimit mac mark multiport owner physdev pkttype realm rpc sctp standardstate tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECNLOG MARK MASQUERADE MIRROR NETMAP NOTRACK REDIRECT REJECT SAME SNATTARPIT TCPMSS TOS TRACE TTL ULOG
然后再make,
[qq@fc3 iptables-1.2.11]$ make
Making dependencies: please wait...
Something wrong... deleting dependencies.
Please try `make KERNEL_DIR=path-to-correct-kernel'.
make: *** [linux/netfilter_ipv4/ipt_connrate.h] 错误 1
我有两个patch,patch-o-matic-ng-20040621.tar.bz2 和patch-o-matic-ng-20050314.tar.bz2,前者我解开看有2.6.7等字样,我怕和我的2.6.9的不合,就用后者,解开后,复制其中的文件,
[root@fc3 netfilter_ipv4]# cp ipt_connrate.h /usr/include/linux/netfilter_ipv4
再make,这次成功了,
[qq@fc3 extensions]$ ls |grep rate
libipt_connrate.c
libipt_connrate.d
libipt_connrate.man
libipt_connrate_sh.o
libipt_connrate.so
然后su成root,
[root@fc3 extensions]# cp libipt_connrate.so /lib/iptables/
试一下,
[root@fc3 qq]# /sbin/iptables -A INPUT -s 192.168.0.30 -m connrate --connrate 100000:150000 -j ACCEPT
iptables: No chain/target/match by that name
为什么?man一下,
connrate
This module matches the current transfer rate in a connection.
--connrate [!] [from]:[to]
Match against the current connection transfer rate being within
’from’ and ’to’ bytes per second. When the "!" argument is used
before the range, the sense of the match is inverted.
看来这个好象不是限速吧,好象是看哪个速度在哪个区间,然后就想搞点啥,具体还不明白。
有空再编译一下iplimit等。