Steve Clark wrote:
David Stes wrote:
I'm not sure this is the proper solution, but the way I think you're
supposed to compile the proxies is by modifying
ip_proxy.c
and by moving
#include "ip_rcmd_pxy.c"
a few lines higher, above
/* END OF INCLUDES */
because the Makefile's scan for that comment and generate sources based on it.
On Thu, Aug 21, 2008 at 03:36:29PM -0400, Steve Clark wrote:
Hi,
I have gotten 4.1.31 to compile an run on centos 5.2 linux kernel
2.6.18-92.1.10.el5.
It seems to be mostly working ok after some minor changes for locking. I have just discovered a
problem with ipnat though trying to setup a ftp proxy rule.
map eth1 192.168.4.0/24 -> 2.2.2.1/32 proxy port ftp ftp/tcp
when I try to insert this I get:
[EMAIL PROTECTED] proc]# ipnat -CF -f /etc/ipnat.cfg
0 entries flushed from NAT table
0 entries flushed from NAT list
1:ioctl(add/insert nat rule): No such file or directory
other map rules seem to be ok.
Could someone point me where I should start looking for this problem. I haven't
been able to
figure out how ip_ftp_pxy.c get compiled and where it ends up. I can't find a
.o file in the
Linux/Linux-2.6.18-92.1.10.el5-i686 directory.
Thanks,
Steve
Hi David,
I put
#error "in ip_ftp_proxy"
in the ip_ftp_pxy.c file to see if it was being included and as you can see
below it appears
that it is being included into ip_proxy.c - so there must be something else
going wrong.
make[1]: Entering directory `/root/ip_fil4.1.31/Linux'
cc -I. -ILinux-2.6.18-92.1.10.el5-i686 -g -I.. -D_BSD_SOURCE
-DIPFILTER_LOOKUP -DIPFILTER_SCAN -DIPFILTER_LOG -DLINUX=20618 -c ../ip_proxy.c
-o Linux-2.6.18-92.1.10.el5-i686/ip_proxy_u.o
In file included from ../ip_proxy.c:91:
../netinet/ip_ftp_pxy.c:11:2: error: #error "in ip_ftp_proxy"
make[1]: *** [Linux-2.6.18-92.1.10.el5-i686/ip_proxy_u.o] Error 1
Thanks,
Steve
Hi David,
after further review you are correct. It looks like this file get compiled
twice once as is then again after
having sed ran on it leaving out everything before "END OF INCLUDES". Anyway
ip_ftp_pxy.c had errors
in it when I finally got it to compile - a couple of undefined functions
mb_adj() and mb_cant_remember().
Steve
PS:
attached are the changes I made to get it running on centos 5.2 - linux-2.6.18
diff -ur ip_fil4.1.31/fil.c ip_fil4.1.31n/fil.c
--- ip_fil4.1.31/fil.c 2008-06-09 06:41:35.000000000 -0400
+++ ip_fil4.1.31n/fil.c 2008-08-13 10:46:41.000000000 -0400
@@ -334,6 +334,8 @@
{ "", NULL, NULL }
};
+int
+ppsratecheck(struct timeval *, int *, int);
/*
* The next section of code is a a collection of small routines that set
diff -ur ip_fil4.1.31/ip_compat.h ip_fil4.1.31n/ip_compat.h
--- ip_fil4.1.31/ip_compat.h 2008-07-24 05:30:30.000000000 -0400
+++ ip_fil4.1.31n/ip_compat.h 2008-08-15 13:39:11.000000000 -0400
@@ -1146,11 +1146,13 @@
/* ----------------------------------------------------------------------- */
#if defined(linux) && !defined(OS_RECOGNISED)
#include <linux/version.h>
+#if 0
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,23)
# include <linux/autoconf.h>
#else
# include <linux/config.h>
#endif
+#endif
# if (LINUX >= 20600) && defined(_KERNEL)
# define HDR_T_PRIVATE 1
# endif
@@ -1180,8 +1182,8 @@
# define KRWLOCK_T rwlock_t
# define KMUTEX_T spinlock_t
# define MUTEX_INIT(x,y) spin_lock_init(&(x)->ipf_lk)
-# define MUTEX_ENTER(x) spin_lock(&(x)->ipf_lk)
-# define MUTEX_EXIT(x) spin_unlock(&(x)->ipf_lk)
+# define MUTEX_ENTER(x) spin_lock_bh(&(x)->ipf_lk)
+# define MUTEX_EXIT(x) spin_unlock_bh(&(x)->ipf_lk)
# define MUTEX_DESTROY(x) do { } while (0)
# define MUTEX_NUKE(x) bzero(&(x)->ipf_lk, sizeof((x)->ipf_lk))
# define READ_ENTER(x) ipf_read_enter(x)
diff -ur ip_fil4.1.31/ip_fil_linux.c ip_fil4.1.31n/ip_fil_linux.c
--- ip_fil4.1.31/ip_fil_linux.c 2007-11-08 03:12:42.000000000 -0500
+++ ip_fil4.1.31n/ip_fil_linux.c 2008-08-15 13:56:56.000000000 -0400
@@ -15,7 +15,7 @@
#include <linux/timer.h>
#include <asm/ioctls.h>
-extern int sysctl_ip_default_ttl;
+/*extern int sysctl_ip_default_ttl;*/
static int fr_send_ip __P((fr_info_t *, struct sk_buff *, struct sk_buff
**));
@@ -319,7 +319,8 @@
ip->ip_hl = sizeof(*oip) >> 2;
ip->ip_tos = oip->ip_tos;
ip->ip_id = 0;
- ip->ip_ttl = sysctl_ip_default_ttl;
+ /*ip->ip_ttl = sysctl_ip_default_ttl;*/
+ ip->ip_ttl = 64;
ip->ip_sum = 0;
ip->ip_off = 0x4000;
hlen = sizeof(*ip);
@@ -672,7 +673,10 @@
return -1;
dev = ifptr;
- ifp = __in_dev_get(dev);
+
+ rtnl_lock();
+ ifp = __in_dev_get_rtnl(dev);
+ rtnl_unlock();
if (v == 4)
inp->s_addr = 0;
@@ -780,7 +784,7 @@
*((int *)rwlk->ipf_magic) = 1;
}
#endif
- read_lock(&rwlk->ipf_lk);
+ read_lock_bh(&rwlk->ipf_lk);
ATOMIC_INC32(rwlk->ipf_isr);
}
@@ -796,8 +800,12 @@
*((int *)rwlk->ipf_magic) = 1;
}
#endif
- write_lock(&rwlk->ipf_lk);
- rwlk->ipf_isw = 1;
+ write_lock_bh(&rwlk->ipf_lk);
+#if 0
+ rwlk->ipf_isw = 1;
+#else
+ ATOMIC_INC32(rwlk->ipf_isw);
+#endif
}
@@ -816,11 +824,15 @@
}
#endif
if (rwlk->ipf_isw > 0) {
+#if 0
rwlk->ipf_isw = 0;
- write_unlock(&rwlk->ipf_lk);
+#else
+ ATOMIC_DEC32(rwlk->ipf_isw);
+#endif
+ write_unlock_bh(&rwlk->ipf_lk);
} else if (rwlk->ipf_isr > 0) {
ATOMIC_DEC32(rwlk->ipf_isr);
- read_unlock(&rwlk->ipf_lk);
+ read_unlock_bh(&rwlk->ipf_lk);
} else {
panic("rwlk->ipf_isw %d isr %d rwlk %p name [%s]\n",
rwlk->ipf_isw, rwlk->ipf_isr, rwlk, rwlk->ipf_lname);
diff -ur ip_fil4.1.31/ip_nat.c ip_fil4.1.31n/ip_nat.c
--- ip_fil4.1.31/ip_nat.c 2008-07-26 14:41:30.000000000 -0400
+++ ip_fil4.1.31n/ip_nat.c 2008-08-21 19:47:08.000000000 -0400
@@ -118,7 +118,6 @@
static const char rcsid[] = "@(#)$Id: ip_nat.c,v 2.195.2.115 2008/07/26
18:41:30 darrenr Exp $";
#endif
-
/* ======================================================================== */
/* How the NAT is organised and works. */
/* */
@@ -967,7 +966,10 @@
int error = 0, i, j;
if (nat_resolverule(n) != 0)
+ {
+ printf("nat_siocaddnat - enoent\n");
return ENOENT;
+ }
if ((n->in_age[0] == 0) && (n->in_age[1] != 0))
return EINVAL;
@@ -2031,7 +2033,7 @@
if (np->in_flags & IPN_SEQUENTIAL) {
port = np->in_pnext;
} else {
- port = ipf_random() % (ntohs(np->in_pmax) -
+ port = 12345 % (ntohs(np->in_pmax) -
ntohs(np->in_pmin));
port += ntohs(np->in_pmin);
}
diff -ur ip_fil4.1.31/ip_proxy.c ip_fil4.1.31n/ip_proxy.c
--- ip_fil4.1.31/ip_proxy.c 2007-06-02 17:22:28.000000000 -0400
+++ ip_fil4.1.31n/ip_proxy.c 2008-08-21 21:29:24.000000000 -0400
@@ -87,7 +87,6 @@
#if (__FreeBSD_version >= 300000)
# include <sys/malloc.h>
#endif
-
#include "netinet/ip_ftp_pxy.c"
#include "netinet/ip_rcmd_pxy.c"
# include "netinet/ip_pptp_pxy.c"
@@ -626,12 +625,14 @@
printf("appr_lookup(%d,%s)\n", pr, name);
for (ap = ap_proxies; ap->apr_p; ap++)
+ {
+ printf("pr=%d,label=(%s)\n",ap->apr_p,ap->apr_label);
if ((ap->apr_p == pr) &&
!strncmp(name, ap->apr_label, sizeof(ap->apr_label))) {
ap->apr_ref++;
return ap;
}
-
+ }
for (ap = ap_proxylist; ap; ap = ap->apr_next)
if ((ap->apr_p == pr) &&
!strncmp(name, ap->apr_label, sizeof(ap->apr_label))) {
diff -ur ip_fil4.1.31/ip_state.c ip_fil4.1.31n/ip_state.c
--- ip_fil4.1.31/ip_state.c 2008-07-24 05:30:32.000000000 -0400
+++ ip_fil4.1.31n/ip_state.c 2008-08-13 11:11:41.000000000 -0400
@@ -221,7 +221,8 @@
* XXX - ips_seed[X] should be a random number of sorts.
*/
#if !defined(NEED_LOCAL_RAND) && defined(_KERNEL)
- ips_seed[i] = arc4random();
+ /*ips_seed[i] = arc4random();*/
+ ips_seed[i] = 1234;
#else
ips_seed[i] = ((u_long)ips_seed + i) * fr_statesize;
ips_seed[i] += tv.tv_sec;
diff -ur ip_fil4.1.31/Linux/ipfilter.spec.dist
ip_fil4.1.31n/Linux/ipfilter.spec.dist
--- ip_fil4.1.31/Linux/ipfilter.spec.dist 2008-07-24 07:08:40.000000000
-0400
+++ ip_fil4.1.31n/Linux/ipfilter.spec.dist 2008-08-13 11:17:52.000000000
-0400
@@ -2,7 +2,7 @@
Name: ipfilter
Version: 4.1.30
Release: 1
-Copyright: Copyright 2006 Darren Reed
+License: Darren Reed
Group: System Environment/Base
BuildRoot: /usr/src/redhat/BUILD/ipfilter
diff -ur ip_fil4.1.31/Linux/ipf-linux.h ip_fil4.1.31n/Linux/ipf-linux.h
--- ip_fil4.1.31/Linux/ipf-linux.h 2005-09-10 14:23:36.000000000 -0400
+++ ip_fil4.1.31n/Linux/ipf-linux.h 2008-07-29 16:15:08.000000000 -0400
@@ -36,6 +36,8 @@
# define ipftcphdr tcphdr
# define ipfudphdr udphdr
#endif
+extern int ip_finish_output(struct sk_buff *skb);
+
struct ipftcphdr {
__u16 th_sport;
diff -ur ip_fil4.1.31/linux.c ip_fil4.1.31n/linux.c
--- ip_fil4.1.31/linux.c 2008-02-05 15:56:12.000000000 -0500
+++ ip_fil4.1.31n/linux.c 2008-08-12 08:53:39.000000000 -0400
@@ -1,6 +1,5 @@
#include "ipf-linux.h"
-#include <linux/devfs_fs_kernel.h>
#ifdef CONFIG_PROC_FS
#include <linux/proc_fs.h>
@@ -14,15 +13,15 @@
MODULE_DESCRIPTION("IP-Filter Firewall");
MODULE_LICENSE("(C)Copyright 2003-2004 Darren Reed");
-MODULE_PARM(fr_flags, "i");
-MODULE_PARM(fr_control_forwarding, "i");
-MODULE_PARM(fr_update_ipid, "i");
-MODULE_PARM(fr_chksrc, "i");
-MODULE_PARM(fr_pass, "i");
-MODULE_PARM(ipstate_logging, "i");
-MODULE_PARM(nat_logging, "i");
-MODULE_PARM(ipl_suppress, "i");
-MODULE_PARM(ipl_logall, "i");
+module_param(fr_flags, int, 0);
+module_param(fr_control_forwarding, int, 0);
+module_param(fr_update_ipid, int, 0);
+module_param(fr_chksrc, int, 0);
+module_param(fr_pass, int, 0);
+module_param(ipstate_logging, int, 0);
+module_param(nat_logging, int, 0);
+module_param(ipl_suppress, int, 0);
+module_param(ipl_logall, int, 0);
#endif
static int ipf_open(struct inode *, struct file *);
diff -ur ip_fil4.1.31/Makefile ip_fil4.1.31n/Makefile
--- ip_fil4.1.31/Makefile 2008-07-24 05:30:30.000000000 -0400
+++ ip_fil4.1.31n/Makefile 2008-07-29 15:40:55.000000000 -0400
@@ -77,7 +77,7 @@
#
# Uncomment the next 3 lines if you want to view the state table a la top(1)
# (requires that you have installed ncurses).
-#STATETOP_CFLAGS=-DSTATETOP
+STATETOP_CFLAGS=-DSTATETOP
#
# Where to find the ncurses include files (if not in default path),
#
@@ -86,7 +86,7 @@
#
# How to link the ncurses library
#
-#STATETOP_LIB=-lncurses
+STATETOP_LIB=-lncurses
#STATETOP_LIB=-L/usr/local/lib -lncurses
#
