Manual Installation Of IpTables Rope.
- These notes refer to versions of Rope release before 23/Dec/2005 only. For later versions, please refer to Building.
- VERSIONS OF ROPE BEFORE 20051223 WORK WITH THE 2.4.x RANGE OF LINUX KERNELS ONLY. IT HAS BEEN DEVELOPED AND TESTED ON VERSIONS 2.4.20 THROUGH 2.4.29. Support for Linux 2.6 is available in versions since 23/Dec/2005 - see Building.
- If you are interested in using "rope" but are not comfortable with compiling your own linux kernel, I am happy to do the work for you for a small fee.
These notes were taken when going through the process of manual installation on a RedHat 8.0 development machine. This is not the way install will be ultimately (we will use the "proper" iptables POM patching logic), but it allows you to get the software installed and running before the "real" installation logic is ready.
- Get a vanilla linux kernel and kernel-source package and install (I am using RedHat 8.0, kernel 2.4.20-28.8 for this).
- Download the current version of the Rope sources. Note that these are currently changing frequently - so revist the site often.
Patching The Linux Kernel
The following edits need to be made in the kernel tree (probably something like /usr/src/linux-2.4)...
net/ipv4/netfilter/Config.in (versions before 20050101)
For versions of the software with versions before January 1st, 2005 ..
Add a line referring to ROPE in the same style as, and after the line referring to LENGTH. The best way is to duplicate the original LENGTH line, and then replace the two instances of the word "LENGTH" in it with "ROPE". The new line and it's neighbours look something like this (depending on what other modules you have got installed)..
dep_tristate ' AH/ESP match support' CONFIG_IP_NF_MATCH_AH_ESP $CONFIG_IP_NF_IPTABLES dep_tristate ' LENGTH match support' CONFIG_IP_NF_MATCH_LENGTH $CONFIG_IP_NF_IPTABLES dep_tristate ' ROPE match support' CONFIG_IP_NF_MATCH_ROPE $CONFIG_IP_NF_IPTABLES dep_tristate ' TTL match support' CONFIG_IP_NF_MATCH_TTL $CONFIG_IP_NF_IPTABLES
net/ipv4/netfilter/Config.in (versions after 20050101)
For versions of the software with a date later than January 1st, 2005 ..
Copy the contents of the file Config.in.fragment into the Config.in file after the line referring to LENGTH. The new lines and their neighbours look something like this (depending on what other modules you have installed, and the version of Rope you are using)..
dep_tristate ' AH/ESP match support' CONFIG_IP_NF_MATCH_AH_ESP $CONFIG_IP_NF_IPTABLES dep_tristate ' LENGTH match support' CONFIG_IP_NF_MATCH_LENGTH $CONFIG_IP_NF_IPTABLES dep_tristate ' Rope match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_ROPE $CONFIG_IP_NF_IPTABLES if [ "$CONFIG_IP_NF_MATCH_ROPE" != "n" ]; then int ' ROPE: Number of global registers' CONFIG_ROPE_NUM_GREGS 20 int ' ROPE: Number of scripts' CONFIG_ROPE_NUM_SCRIPTS 50 int ' ROPE: Stack size (number of items)' CONFIG_ROPE_STACK_SIZE 20 int ' ROPE: Jotter size (bytes)' CONFIG_ROPE_JOTTER_SIZE 2048 int ' ROPE: Max actions per script execution ($max_actions)' CONFIG_ROPE_MAX_ACTIONS 1000 int ' ROPE: Default max iterations per "while" loop' CONFIG_ROPE_MAX_WHILE_LOOPS 100 int ' ROPE: Default max iterations per "repeat" loop' CONFIG_ROPE_MAX_REPEAT_LOOPS 100 int ' ROPE: Max "expect_one" blocks' CONFIG_ROPE_MAX_EXPECT_ONE_BLOCKS 30 int ' ROPE: Max IPSets that can be referred to' CONFIG_ROPE_NUM_IPSETS 20 fi dep_tristate ' TTL match support' CONFIG_IP_NF_MATCH_TTL $CONFIG_IP_NF_IPTABLES
Add a line referring to "rope" in the same style as, and after the line referring to "length". The easiest way do this is just to copy the "LENGTH" line and replace "LENGTH" with "ROPE" and "length" with "rope". The new line and it's neighbours look something like this (depending on what other modules you have installed)..
obj-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp.o obj-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_ah.o ipt_esp.o obj-$(CONFIG_IP_NF_MATCH_LENGTH) += ipt_length.o obj-$(CONFIG_IP_NF_MATCH_ROPE) += ipt_rope.o obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
Add (copy) the following files to the kernel source tree (note that some files are only relevant to certain versions of the Rope software) ..
|File name||Target Directory||Versions|
|rope-enum.h||net/ipv4/netfilter||only if present in release|
|rope-util.h||net/ipv4/netfilter||only if present in release|
|ipt_rope.h||include/linux/netfilter_ipv4||only if present in release|
In versions without a "ipt_rope.h" file, create an empty include/linux/netfilter_ipv4/ipt_rope.h using the command:
By the way - I know that a couple of the .h files are in the wrong place here - I'll sort this out soon.
Finally: edit the main Makefile to give EXTRAVERSION some unique string (maybe: "-Rope" would do it).
Building The Kernel
- It might be a good idea to run "make distclean" in the kernel source tree before starting out [up to you!].
- Copy the relevant config file from /boot into linux-2.4/.config.
- Run "make menuconfig"
- find the ROPE option and turn it on. You'll find this under: Networking options - IP Netfilter Configuration
- Check the tuning parameters available for ROPE in the "make menuconfig" screen and edit them, if you like.
- Consider enabling some other iptable features that enhance ROPE's features, namely...
- IPSets (may need kernel patch)
- Conntrack bytes (may need POM kernel patch)
- Conntrack marking or CONNMARK (may need POM kernel patch)
time make dep bzImage modules 2>&1 | tee make.out
- Review make.out for relevant error messages
- run: make modules_install
- run: make install
- reboot with the new kernel to check that it all works.
- Run "uname -a" to verify that it really is the new kernel you are using.
- Try "modprobe ipt_rope" to ensure that the rope module loads into the kernel.
Obtaining The IpTables Source
Download the iptables source version corresponding to that installed in your distro. Or: install the SRPM and run "rpmbuild -bp" on it to prepare the sources with local OS-specific patches. I used this latter approach on my RedHat 8.0 development server - with iptables-1.2.8.
Copy these files from the Rope software into the iptables source tree..
|rope.h||extensions||for version 20050315 and later|
|rope-enum.h||"extensions" directory||only if present in release|
|rope-util.h||"extensions" directory||only if present in release|
|ipt_rope.h||include/linux/netfilter_ipv4||only if present in release|
|rope-test||"extensions" as ".rope-test"||dont miss out that leading full-stop!|
Give the "extensions/.rope-test" file execute permissions with ..
chmod +x extensions/.rope-test
Edit extensions/Makefile and add the word "rope" to the end of the line that sets the variable PF_EXT_SLIB.
Building The Patched IpTables
- Run "make" and "make install" as directed in the "INSTALL" file of iptables.
- Try "iptables -m rope --help" to verify that the new module is now part of the iptables user-space tool.
Pray, Reboot And Check
If all has gone well, a reboot of the system should bring the updated software into memory, including the new iptables Rope module.
- Verify that you are running the correct kernel version using the command
- Verify that the Rope module is loadable using..