Re: [tproxy] Issue with iptables 1.3.8
Hello, Did you set KERNEL_DIR to your kernel source (/usr/src/linux)? Only with it can you compile libxt_TROXY, libxt_tproxy and some other modules (see extensions/.tproxy-testx) Yes, I used make KERNELDIR=/usr/src/linux, and nothing. Then I edit .tproxy-testx and point to my kernel (/usr/src/linux-2.6.22.4) and nothing. Thanks for help. Marco.
On Aug 21 2007 14:40, Marco Aurelio da Silva wrote:
Did you set KERNEL_DIR to your kernel source (/usr/src/linux)? Only with it can you compile libxt_TROXY, libxt_tproxy and some other modules (see extensions/.tproxy-testx)
Yes, I used make KERNELDIR=/usr/src/linux, and nothing. Then I edit .tproxy-testx and point to my kernel (/usr/src/linux-2.6.22.4) and nothing.
chmod 755 extensions/.*-test* then retry. Jan --
Jan Engelhardt wrote:
On Aug 21 2007 14:40, Marco Aurelio da Silva wrote:
Did you set KERNEL_DIR to your kernel source (/usr/src/linux)? Only with it can you compile libxt_TROXY, libxt_tproxy and some other modules (see extensions/.tproxy-testx)
Yes, I used make KERNELDIR=/usr/src/linux, and nothing. Then I edit .tproxy-testx and point to my kernel (/usr/src/linux-2.6.22.4) and nothing.
chmod 755 extensions/.*-test*
then retry.
Jan
I did this before but No way.... It didn't compile. I don't know more what to do... The kernel modules are OK, I modprobe then OK but I cant use iptables. Any thing else? Thanks and excuse me for poor english. Marco.
On Aug 21 2007 16:21, Marco Aurelio da Silva wrote:
Did you set KERNEL_DIR to your kernel source (/usr/src/linux)? Only with it can you compile libxt_TROXY, libxt_tproxy and some other modules (see extensions/.tproxy-testx)
Yes, I used make KERNELDIR=/usr/src/linux, and nothing. Then I edit .tproxy-testx and point to my kernel (/usr/src/linux-2.6.22.4) and nothing.
chmod 755 extensions/.*-test* then retry.
I did this before but No way.... It didn't compile.
Post an error message!
I don't know more what to do... The kernel modules are OK, I modprobe then OK but I cant use iptables.
Post an error message! (if you have not done so yet) Jan --
Jan Engelhardt wrote:
On Aug 21 2007 16:21, Marco Aurelio da Silva wrote:
Did you set KERNEL_DIR to your kernel source (/usr/src/linux)? Only with it can you compile libxt_TROXY, libxt_tproxy and some other modules (see extensions/.tproxy-testx)
Yes, I used make KERNELDIR=/usr/src/linux, and nothing. Then I edit .tproxy-testx and point to my kernel (/usr/src/linux-2.6.22.4) and nothing.
chmod 755 extensions/.*-test* then retry.
I did this before but No way.... It didn't compile.
Post an error message!
I don't know more what to do... The kernel modules are OK, I modprobe then OK but I cant use iptables.
Post an error message! (if you have not done so yet)
Jan
No erros are returned: This is what I did: -------------------------------- root@srvsistema:/usr/local/teste/iptables-1.3.8# cat /usr/local/src/tproxy-4.0.1-2.6.22/patches/iptables-r7008-tproxy.diff | patch -p1 patching file extensions/libxt_tproxy.c patching file extensions/libxt_TPROXY.c patching file extensions/libxt_tproxy.man patching file extensions/libxt_TPROXY.man patching file extensions/.tproxy-testx root@srvsistema:/usr/local/src/iptables-1.3.8# chmod 777 extensions/.*-test* in extensions/.tproxy-testx: #!/bin/sh [ -f $KERNEL_DIR/include/linux/netfilter/xt_TPROXY.h ] && echo TPROXY [ -f $KERNEL_DIR/net/netfilter/xt_tproxy.c ] && echo tproxy root@srvsistema:/usr/local/src/iptables-1.3.8# make KERNEL_DIR=/usr/src/linux Extensions found: IPv4:CLUSTERIP IPv4:NFLOG IPv4:connbytes IPv4:dccp IPv4:quota IPv4:recent IPv4:statistic IPv4:string IPv6:NFLOG IPv6:REJECT IPv6:ah IPv6:esp IPv6:frag IPv6:hashlimit IPv6:ipv6header IPv6:mh IPv6:rt IPv6:sctp root@srvsistema:/usr/local/src/iptables-1.3.8# make install ----------------------------------------------------------------- But it don't compile .so files for tproxy root@srvsistema:/usr/local/src/iptables-1.3.8/extensions# iptables -m tproxy --help iptables v1.3.8: Couldn't load match `tproxy':/usr/local/lib/iptables/libipt_tproxy.so: cannot open shared object file: No such file or directory Thanks.
On Aug 21 2007 16:35, Marco Aurelio da Silva wrote:
chmod 755 extensions/.*-test*
No erros are returned:
This is what I did: -------------------------------- /usr/local/src/iptables-1.3.8# chmod 777 extensions/.*-test*
(There's a difference between 755 and 777, but it's not important now.)
in extensions/.tproxy-testx: #!/bin/sh [ -f $KERNEL_DIR/include/linux/netfilter/xt_TPROXY.h ] && echo TPROXY [ -f $KERNEL_DIR/net/netfilter/xt_tproxy.c ] && echo tproxy
root@srvsistema:/usr/local/src/iptables-1.3.8# make KERNEL_DIR=/usr/src/linux
And, does /usr/src/linux/include/linux/netfilter/xt_TPROXY.h exist? And how about /usr/src/linux/net/netfilter/xt_tproxy.c? Jan --
Jan Engelhardt wrote:
On Aug 21 2007 16:35, Marco Aurelio da Silva wrote:
chmod 755 extensions/.*-test*
No erros are returned:
This is what I did: -------------------------------- /usr/local/src/iptables-1.3.8# chmod 777 extensions/.*-test*
(There's a difference between 755 and 777, but it's not important now.)
in extensions/.tproxy-testx: #!/bin/sh [ -f $KERNEL_DIR/include/linux/netfilter/xt_TPROXY.h ] && echo TPROXY [ -f $KERNEL_DIR/net/netfilter/xt_tproxy.c ] && echo tproxy
root@srvsistema:/usr/local/src/iptables-1.3.8# make KERNEL_DIR=/usr/src/linux
And, does /usr/src/linux/include/linux/netfilter/xt_TPROXY.h exist? And how about /usr/src/linux/net/netfilter/xt_tproxy.c?
Jan
OK. Yes they exist. root@srvsistema:/usr/local/src/iptables-1.3.8/extensions# vi /usr/src/linux/include/linux/netfilter/xt_TPROXY.h /* * Transparent proxy support for Linux/iptables * * Copyright (c) 2002-2007 BalaBit IT Ltd. * Author: Bal?zs Scheidler * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * */ #ifndef _XT_TPROXY_H_target #define _XT_TPROXY_H_target struct xt_tproxy_target_info { __be16 lport; __be32 laddr; }; #endif /*_XT_TPROXY_H_target*/ And root@srvsistema:/usr/local/src/iptables-1.3.8/extensions# vi /usr/src/linux/net/netfilter/xt_tproxy.c /* * Transparent proxy support for Linux/iptables * * Copyright (c) 2002-2006 BalaBit IT Ltd. * Author: Bal?zs Scheidler * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * */ #include <linux/module.h> #include <linux/skbuff.h> #include <linux/netfilter/x_tables.h> static int match(const struct sk_buff *skb, const struct net_device *in, const struct net_device *out, const struct xt_match *match, const void *matchinfo, int offset, unsigned int protoff, int *hotdrop) { return skb->ip_tproxy; } static int check(const char *tablename, const void *entry, const struct xt_match *match, void *matchinfo, unsigned int matchsize, unsigned int hook_mask) { if (matchsize != 0) return 0; return 1; } static struct xt_match tproxy_match = { .name = "tproxy", .match = match, .checkentry = check, .family = AF_INET, .me = THIS_MODULE, }; static struct xt_match tproxy6_match = { .name = "tproxy", .match = match, .checkentry = check, .family = AF_INET6, .me = THIS_MODULE, }; static int __init xt_tproxy_init(void) { int ret; ret = xt_register_match(&tproxy_match); if (ret) return ret; ret = xt_register_match(&tproxy6_match); if (ret) xt_unregister_match(&tproxy_match); return ret; } static void __exit xt_tproxy_fini(void) { xt_unregister_match(&tproxy_match); xt_unregister_match(&tproxy6_match); } module_init(xt_tproxy_init); module_exit(xt_tproxy_fini); MODULE_LICENSE("GPL"); MODULE_AUTHOR("Krisztian Kovacs <hidden@balabit.hu>"); MODULE_DESCRIPTION("iptables tproxy matching module"); MODULE_ALIAS("ipt_tproxy"); MODULE_ALIAS("ip6t_tproxy");
participants (2)
-
Jan Engelhardt
-
Marco Aurelio da Silva