如何编译iptables中extensions目录下的文件

外来人

下载了iptables-1.2.11，编译后extensions目录下的部分扩展会编译为.o文件。但我想要的iplimiit和iprate之类不会编译。怎么办？我不想用patch-o-matic-ng打补丁的方法，那个还得编译内核。烦。

心想事成

修改Makefile这个文件

外来人

我也想修改Makefile,但就没看出如何改,也没有任何说明.大大能帮我看看不?我是用的1.2.11版本# uncomment this to get a fully statically linked version# NO_SHARED_LIBS = 1# uncomment this to disable IPv6 support# DO_IPV6 = 0####################################################################### YOU SHOULD NOT NEED TO TOUCH ANYTHING BELOW THIS LINE####################################################################### Standard part of Makefile for topdir.TOPLEVEL_INCLUDED=YESifndef KERNEL_DIRKERNEL_DIR=/usr/src/linuxendifIPTABLES_VERSION:=1.2.11OLD_IPTABLES_VERSION:=1.2.10PREFIX:=/usr/localLIBDIR:=$(PREFIX)/libBINDIR:=$(PREFIX)/sbinMANDIR:=$(PREFIX)/manINCDIR:=$(PREFIX)/include# directory for new iptables releasesRELEASE_DIR:=/tmp# Need libc6 for this.  FIXME: Should covert to autoconf.ifeq ($(shell [ -f /usr/include/netinet/ip6.h ] && echo YES), YES)DO_IPV6:=1endifCOPT_FLAGS:=-O2CFLAGS:=$(COPT_FLAGS) -Wall -Wunused -I$(KERNEL_DIR)/include -Iinclude/ -DIPTABLES_VERSION=\"$(IPTABLES_VERSION)\" #-g -DDEBUG #-pg # -DIPTC_DEBUGifdef NO_SHARED_LIBSCFLAGS += -DNO_SHARED_LIBS=1endifEXTRAS+=iptables iptables.o iptables.8EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/iptables $(DESTDIR)$(MANDIR)/man8/iptables.8# No longer experimental.EXTRAS+=iptables-save iptables-restoreEXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/iptables-save $(DESTDIR)$(BINDIR)/iptables-restore $(DESTDIR)$(MANDIR)/man8/iptables-restore.8 $(DESTDIR)$(MANDIR)/man8/iptables-save.8ifeq ($(DO_IPV6), 1)EXTRAS+=ip6tables ip6tables.o ip6tables.8EXTRA_INSTALLS+=$(DESTDIR)$(BINDIR)/ip6tables $(DESTDIR)$(MANDIR)/man8/ip6tables.8EXTRAS_EXP+=ip6tables-save ip6tables-restoreEXTRA_INSTALLS_EXP+=$(DESTDIR)$(BINDIR)/ip6tables-save $(DESTDIR)$(BINDIR)/ip6tables-restore # $(DESTDIR)$(MANDIR)/man8/iptables-restore.8 $(DESTDIR)$(MANDIR)/man8/iptables-save.8 $(DESTDIR)$(MANDIR)/man8/ip6tables-save.8 $(DESTDIR)$(MANDIR)/man8/ip6tables-restore.8endif# Sparc64 hackifeq ($(shell uname -m),sparc64)        POINTERTEST:=1        32bituser := $(shell echo -e "\#include \n\#if !defined(__sparcv9) && !defined(__arch64__) && !defined(_LP64)\nuserspace_is_32bit\n\#endif" | $(CC) $(CFLAGS) -E - | grep userspace_is_32bit)        ifdef 32bituser                # The kernel is 64-bit, even though userspace is 32.                CFLAGS+=-DIPT_MIN_ALIGN=8 -DKERNEL_64_USERSPACE_32        else                EXT_LDFLAGS=-m elf64_sparc        endifendif# Alpha only has 64bit userspace and fails the test belowifeq ($(shell uname -m), alpha)        POINTERTEST:=1endif# Generic test if arch wasn't found aboveifneq ($(POINTERTEST),1)        # Try to determine if kernel is 64bit and we are compiling for 32bit        ifeq ($(shell [ -a $(KERNEL_DIR)/include/asm ] && echo YES), YES)                64bitkernel := $(shell echo -e "\#include \n\#if BITS_PER_LONG == 64\nkernel_is_64bits\n\#endif" | $(CC) $(CFLAGS) -D__KERNEL__ -E - | grep kernel_is_64bits)                ifdef 64bitkernel                        32bituser := $(shell echo -e "\#include \n\#if !defined(__arch64__) && !defined(_LP64)\nuserspace_is_32bit\n\#endif" | $(CC) $(CFLAGS) -E - | grep userspace_is_32bit)                        ifdef 32bituser                                CFLAGS+=-DIPT_MIN_ALIGN=8 -DKERNEL_64_USERSPACE_32                        endif                endif        else                CFLAGS+=-D_UNKNOWN_KERNEL_POINTER_SIZE        endifendififndef IPT_LIBDIRIPT_LIBDIR:=$(LIBDIR)/iptablesendififndef NO_SHARED_LIBSDEPFILES = $(SHARED_LIBS:%.so=%.d)SH_CFLAGS:=$(CFLAGS) -fPICSTATIC_LIBS  =STATIC6_LIBS =LDFLAGS      = -rdynamicLDLIBS       = -ldl -lnslelseDEPFILES = $(EXT_OBJS:%.o=%.d)STATIC_LIBS  = extensions/libext.aSTATIC6_LIBS = extensions/libext6.aLDFLAGS      = -staticLDLIBS       =endif.PHONY: defaultdefault: print-extensions all.PHONY: print-extensionsprint-extensions:        @[ -n "$(OPTIONALS)" ] && echo Extensions found: $(OPTIONALS)iptables.o: iptables.c        $(CC) $(CFLAGS) -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\" -c -o $@ $iptables.8ip6tables.8: ip6tables.8.in extensions/libip6t_matches.man extensions/libip6t_targets.man        sed -e '/@MATCH@/ r extensions/libip6t_matches.man' -e '/@TARGET@/ r extensions/libiptt_targets.man' ip6tables.8.in >ip6tables.8# Development Targets.PHONY: install-devel-man3install-devel-man3: $(DEVEL_MAN3)        @[ -d $(DESTDIR)$(MANDIR)/man3 ] || mkdir -p $(DESTDIR)$(MANDIR)/man3        @cp -v $(DEVEL_MAN3) $(DESTDIR)$(MANDIR)/man3.PHONY: install-devel-headersinstall-devel-headers: $(DEVEL_HEADERS)        @[ -d $(DESTDIR)$(INCDIR) ] || mkdir -p $(DESTDIR)$(INCDIR)        @cp -v $(DEVEL_HEADERS) $(DESTDIR)$(INCDIR).PHONY: install-devel-libsinstall-devel-libs: $(DEVEL_LIBS)        @[ -d $(DESTDIR)$(LIBDIR) ] || mkdir -p $(DESTDIR)$(LIBDIR)        @cp -v $(DEVEL_LIBS) $(DESTDIR)$(LIBDIR).PHONY: install-develinstall-devel: all install-devel-man3 install-devel-headers install-devel-libs.PHONY: distcleandistclean: clean        @rm -f TAGS `find . -name '*~' -o -name '.*~'` `find . -name '*.rej'` `find . -name '*.d'` .makefirst# Rusty's distro magic..PHONY: distribdistrib: check distclean delrelease $(RELEASE_DIR)/iptables-$(IPTABLES_VERSION).tar.bz2 diff md5sums # nowhitespace# Makefile must not define:# -g -pg -DIPTC_DEBUG.PHONY: checkcheck:        @if echo $(CFLAGS) | egrep -e '-g|-pg|IPTC_DEBUG' >/dev/null; then echo Remove debugging flags; exit 1; else exit 0; fi.PHONY: nowhitespacenowhitespace:        @if grep -n '[         ]$$' `find . -name 'Makefile' -o -name '*.[ch]'`; then exit 1; else exit 0; fi.PHONY: delreleasedelrelease:        rm -f $(RELEASE_DIR)/iptables-$(IPTABLES_VERSION).tar.bz2$(RELEASE_DIR)/iptables-$(IPTABLES_VERSION).tar.bz2:        cd .. && ln -sf iptables iptables-$(IPTABLES_VERSION) && tar cvf - --exclude CVS iptables-$(IPTABLES_VERSION)/. | bzip2 -9 > $@ && rm iptables-$(IPTABLES_VERSION).PHONY: diffdiff: $(RELEASE_DIR)/iptables-$(IPTABLES_VERSION).tar.bz2        @mkdir /tmp/diffdir        @cd /tmp/diffdir && tar -x --bzip2 -f $(RELEASE_DIR)/iptables-$(IPTABLES_VERSION).tar.bz2        @set -e; cd /tmp/diffdir; tar -x --bzip2 -f $(RELEASE_DIR)/iptables-$(OLD_IPTABLES_VERSION).tar.bz2; echo Creating patch-iptables-$(OLD_IPTABLES_VERSION)-$(IPTABLES_VERSION).bz2; diff -urN iptables-$(OLD_IPTABLES_VERSION) iptables-$(IPTABLES_VERSION) | bzip2 -9 > $(RELEASE_DIR)/patch-iptables-$(OLD_IPTABLES_VERSION)-$(IPTABLES_VERSION).bz2        @rm -rf /tmp/diffdir.PHONY: md5sumsmd5sums:        cd $(RELEASE_DIR)/ && md5sum patch-iptables-*-$(IPTABLES_VERSION).bz2 iptables-$(IPTABLES_VERSION).tar.bz2# $(wildcard) fails wierdly with make v.3.78.1.include $(shell echo */Makefile)include Rules.make

心想事成

哦，记错了。应该是修改extensions下的Makefile文件，如果实在不行。就只有配置系统内核了

外来人

搞定，比如要增加connrate扩展，修改extensions目录下的Makefile，把PF_EXT_SLIB:=ah connlimit connmark  conntrack dscp ecn esp helper icmp iprange length limit mac mark multiport owner physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG改成PF_EXT_SLIB:=ah connlimit connmark connrate conntrack dscp ecn esp helper icmp iprange length limit mac mark multiport owner physdev pkttype realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG然后再make，[qq@fc3 iptables-1.2.11]$ makeMaking dependencies: please wait...Something wrong... deleting dependencies.    Please try `make KERNEL_DIR=path-to-correct-kernel'.make: *** [linux/netfilter_ipv4/ipt_connrate.h] 错误 1我有两个patch，patch-o-matic-ng-20040621.tar.bz2 和patch-o-matic-ng-20050314.tar.bz2，前者我解开看有2.6.7等字样，我怕和我的2.6.9的不合，就用后者，解开后，复制其中的文件，[root@fc3 netfilter_ipv4]# cp ipt_connrate.h /usr/include/linux/netfilter_ipv4再make，这次成功了，[qq@fc3 extensions]$ ls |grep ratelibipt_connrate.clibipt_connrate.dlibipt_connrate.manlibipt_connrate_sh.olibipt_connrate.so然后su成root，[root@fc3 extensions]# cp libipt_connrate.so /lib/iptables/试一下， [root@fc3 qq]# /sbin/iptables -A INPUT -s 192.168.0.30 -m connrate --connrate 100000:150000 -j ACCEPTiptables: No chain/target/match by that name为什么？man一下，  connrate       This module matches the current transfer rate in a connection.       --connrate [!] [from]:[to]              Match  against the current connection transfer rate being within              ’from’ and ’to’ bytes per second. When the "!" argument is  used              before the range, the sense of the match is inverted.看来这个好象不是限速吧，好象是看哪个速度在哪个区间，然后就想搞点啥，具体还不明白。有空再编译一下iplimit等。