Page 1 of 1

iptables header file

Posted: 2006/05/19 05:01:52
by oayfer
hello,

i'm trying to build some iptables modules [specifically, ipp2p] and it requires "iptables.h" which is normally included in the iptables-devel package in most distributions. however centos 4 seems to include just 3 files [and a bunch of manual pages]:

# rpm -ql iptables-devel
/usr/include/libipq.h
/usr/lib/libipq.a
/usr/lib/libiptc.a
/usr/share/man/man3/ipq_create_handle.3.gz
/usr/share/man/man3/ipq_destroy_handle.3.gz
/usr/share/man/man3/ipq_errstr.3.gz
/usr/share/man/man3/ipq_get_msgerr.3.gz
/usr/share/man/man3/ipq_get_packet.3.gz
/usr/share/man/man3/ipq_message_type.3.gz
/usr/share/man/man3/ipq_perror.3.gz
/usr/share/man/man3/ipq_read.3.gz
/usr/share/man/man3/ipq_set_mode.3.gz
/usr/share/man/man3/ipq_set_verdict.3.gz
/usr/share/man/man3/libipq.3.gz

does anyone know what i need to install to get iptables.h and associated files?

thanks very much.

Re: iptables header file

Posted: 2006/06/02 13:22:49
by ocntscha
[quote]
oayfer wrote:
hello,

i'm trying to build some iptables modules [specifically, ipp2p] and it requires "iptables.h" which is normally included in the iptables-devel package in most distributions. however centos 4 seems to include just 3 files [and a bunch of manual pages]:...

does anyone know what i need to install to get iptables.h and associated files?
[/quote]

I was trying to build ipp2p for Centos 4.3 myself yesterday and ran smack dab into the exact problem you've described. I was looking for a solution when I discovered your post. Just wanted to share with you that I believe I've come up with a solution. I downloaded the source for the version of iptables I have which is 1.2.11 and just unzipped it. I was able to build iptables but I really don't want to do that, I'd like to just keep this system as "stock" as possible. So I blew it away and just unzipped the iptables source again. I can successfully build both the .ko and .so ipp2p modules with no errors at all, this - iptables -m ipp2p --help - gives me all the help like it should after having moved the .so to /lib/iptables and the kernel module loads without complaint. I haven't got around yet to ACTUALLY testing it but I'm pretty confident its goitng to work fine.

I have the kernel developer rpm installed, I believe you'll need that. What worked for me was just unzipping the iptables source and then not even building it or doing anything to it. Just have it there and then in the Makefile for ipp2p I commented out this line..

IPTABLES_SRC = $(wildcard /usr/src/iptables-$(IPTVER))

and added this line..

IPTABLES_SRC = /root/stuff/iptables-1.2.11

/root/stuff/iptables-1.2.11 is where I've got a fresh unzip of the iptables source. Then smpley doing a make in the ipp2p souce code directory worked like a charm.

All that being said. I think what I'm going to do yet though is.. Something else I'd done was download the Centos source rpm for iptables 1.2.11 and I noticed it has a few little patches to the source. I think I'm going to add those patches to the iptables source and then do what I just described above again.

Re: iptables header file

Posted: 2006/06/02 18:35:47
by oayfer
thanks very much for your post.

you make a very good point at the end which is that the centos iptables package is not necessarily identical to the pure ones obtained directly from netfilter.org. so here is what i did:

[in a tmp dir someplace]

# wget http://isoredirect.centos.org/centos/4/apt/i386/SRPMS.os/iptables-1.2.11-3.1.RHEL4.src.rpm

# rpm2cpio ../iptables-1.2.11-3.1.RHEL4.src.rpm | cpio -idv

# tar jxvf iptables-1.2.11.tar.bz2

[this file is the same as the one from netfilter.org]

# patch -d iptables-1.2.11 < iptables-1.2.8-nolibnsl.patch patching file Makefile
# patch -d iptables-1.2.11/libipq < iptables-1.2.9-netlink.patch
# patch -d iptables-1.2.11 < iptables-1.2.9-selinux.patch
# patch -d iptables-1.2.11 < iptables-1.2.10-counters.patch
# patch -d iptables-1.2.11 < iptables-1.2.11-autoload.patch
# patch -d iptables-1.2.11/extensions < iptables-1.2.11-cleanup.patch
# patch -d iptables-1.2.11 < iptables-1.2.11-free.patch
# mv iptables-1.2.11 /usr/local/src/iptables-1.2.11-3.1.RHEL4


then edited the Makefile for ipp2p to have this line:

IPTABLES_SRC = /usr/local/src/iptables-1.2.11-3.1.RHEL4

which seemed to work well, and i feel better about using a more relevant source tree.

Re: iptables header file

Posted: 2006/06/02 23:08:00
by ocntscha
I had done nearly the identical thing ealier myself today. But I didn't add the patches for the versions of iptables other than 1.2.11. I just figured they where extranneous cruft from previous versions that wasn't really supposed to be in the SRPM. But now I think what you did was probably the right approach.

So, I got around to actually trying to do what I was trying to do with ipp2p only to discover I'm now at a seemingly even bigger hurdle where I need ipt_CONNMARK and apparently there's no way around that other than patch o matic and rebuilding the kernel. Doh!! So much for keeping it stock.

So how's it going for you there oayfer? Did ipp2p get you where you where trying to go?

Re: iptables header file

Posted: 2006/06/03 21:50:19
by oayfer
hi again,

i *really* want to keep things as stock as possible, and will try to figure out how i can use ipp2p without CONNMARK. maybe the regular mangle tools will suffice.

unfortunately i can't devote a lot of time to playing with this stuff, so my progress is slow; but i'll post here as i come up with useful information.

Re: iptables header file

Posted: 2006/06/05 14:23:03
by ocntscha
[quote]
oayfer wrote:
hi again,

i *really* want to keep things as stock as possible, and will try to figure out how i can use ipp2p without CONNMARK. maybe the regular mangle tools will suffice.

unfortunately i can't devote a lot of time to playing with this stuff, so my progress is slow; but i'll post here as i come up with useful information.[/quote]
Let me know if you have any luck. I too have been trying to see what I can do without CONNMARK but I can't seem to get ipp2p to even match anything.

All I'm doing is using Centos as my home LAN's firewall/gateway. I'm using the ppoe stuff that comes with Centos, shorewall, and dnsmasq (caching names server/ dhcp server), and inadyn (to updated my dyndns whenever my ip changes). I spent a couple weeks getting all that stuff banged into shape and it is working quite excellent.

So now I'm just wanting implement a little traffic shaping using shorewall. In particular I want to give my p2p traffic low priority so when I'm downloaded Linux .iso files or public domain recordings of the Grateful Dead and trying to play Quake 4 or stream music to myself while I'm at work, the p2p traffic will automatically throttle down and I won't get any lag and choppiness. Thats the plan.

But I've been experimenting with ipp2p and I've yet to get it to detect a single packet as p2p traffic while using a couple different bit torrent clients and emule too. Let me know if you have any success what so ever.

Ah well, at least I'm learning a thing or two along the way. Learned about spec files in source rpms which if you look in there, yep, I was definately supposed to apply all the patches in the iptables source rpm file, not just the 1.2.11 patches. I did it almost the same as you..

patch -p1 -d iptables-1.2.11 < iptables-1.2.8-nolibnsl.patch
patch -p1 -d iptables-1.2.11 < iptables-1.2.8-nolibnsl.patch
patch -p1 -d iptables-1.2.11 < iptables-1.2.9-netlink.patch
patch -p1 -d iptables-1.2.11 < iptables-1.2.9-selinux.patch
patch -p1 -d iptables-1.2.11 < iptables-1.2.10-counters.patch
patch -p1 -d iptables-1.2.11 < iptables-1.2.11-free.patch
patch -p1 -d iptables-1.2.11 < iptables-1.2.11-cleanup.patch
patch -p1 -d iptables-1.2.11 < iptables-1.2.11-autoload.patch

Re: iptables header file

Posted: 2006/06/10 18:53:04
by ocntscha
Me again. Just wanted to report back that after fiddling with shorewall some more it turns out the ipp2p module I built as described above is functioning fine after all. So, I guess now I'm stuck having to rebuild the kernel in order to fit in the last piece of the puzzle which is connmark modules.

Re: iptables header file

Posted: 2006/07/17 16:05:48
by ocntscha
Just thought I'd report back. I did eventually get this all working nicely. I was able to recompile the kernel from the source RPM and had to use [url=http://lists.netfilter.org/pipermail/netfilter/2004-December/057375.html]this patch[/url] to get ipt_connmark support.

Re: iptables header file

Posted: 2006/08/09 00:49:10
by dre2004
Hi guys,

Did any of you manage to package this up (RPM) ?