From 87c406c4962ea52f467b9807daf66e3652bd0e9b Mon Sep 17 00:00:00 2001 From: "/C=EU/ST=EU/CN=Jozsef Kadlecsik/emailAddress=kadlec@blackhole.kfki.hu" Date: Thu, 3 Jul 2008 09:26:50 +0000 Subject: Support statically linked kernel - no need for pom-ng anymore for ipset at all. --- Makefile | 20 ++++++--- README | 24 ++++++++++- kernel/Kconfig.ipset | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++ kernel/Makefile.ipset | 14 ++++++ kernel/patch_kernel | 41 ++++++++++++++++++ 5 files changed, 209 insertions(+), 6 deletions(-) create mode 100644 kernel/Kconfig.ipset create mode 100644 kernel/Makefile.ipset create mode 100755 kernel/patch_kernel diff --git a/Makefile b/Makefile index 253498e..4381422 100644 --- a/Makefile +++ b/Makefile @@ -36,20 +36,30 @@ SHARED_LIBS=$(foreach T, $(SETTYPES),libipset_$(T).so) INSTALL=$(DESTDIR)$(BINDIR)/ipset $(DESTDIR)$(MANDIR)/man8/ipset.8 INSTALL+=$(foreach T, $(SETTYPES), $(DESTDIR)$(LIBDIR)/ipset/libipset_$(T).so) -all: $(PROGRAMS) $(SHARED_LIBS) - cd kernel; make -C $(KERNEL_DIR) M=`pwd` IP_NF_SET_MAX=$(IP_NF_SET_MAX) IP_NF_SET_HASHSIZE=$(IP_NF_SET_HASHSIZE) modules +all: binaries modules .PHONY: tests tests: cd tests; ./runtest.sh -ipset_install: all $(INSTALL) +binaries: $(PROGRAMS) $(SHARED_LIBS) + +binaries_install: binaries $(INSTALL) + +patch_kernel: + cd kernel; ./patch_kernel $(KERNEL_DIR) + +modules: + @[ -f $(KERNEL_DIR)/net/ipv4/netfilter/Kconfig ] || (echo "Error: the directory '$(KERNEL_DIR)' doesn't look like a Linux 2.6.x kernel source tree." && exit 1) + @[ -f $(KERNEL_DIR)/.config ] || (echo "Error: the kernel source in '$(KERNEL_DIR)' must be configured" && exit 1) + @[ -f $(KERNEL_DIR)/Module.symvers ] || echo "Warning: you should run 'make modules' in '$(KERNEL_DIR)' beforehand" + cd kernel; make -C $(KERNEL_DIR) M=`pwd` IP_NF_SET_MAX=$(IP_NF_SET_MAX) IP_NF_SET_HASHSIZE=$(IP_NF_SET_HASHSIZE) modules -modules_install: +modules_install: modules cd kernel; make -C $(KERNEL_DIR) M=`pwd` modules_install -install: ipset_install modules_install +install: binaries_install modules_install clean: $(EXTRA_CLEANS) rm -rf $(PROGRAMS) $(SHARED_LIBS) *.o *~ diff --git a/README b/README index 5f708d0..a58da3b 100644 --- a/README +++ b/README @@ -22,4 +22,26 @@ This is the ipset source tree. Follow these steps to install ipset: # make KERNEL_DIR=<> clean -That's it! +That's it! + +Read the ipset(8) and iptables(8) manpages on how to use ipset +and its match and target from iptables. + +If you want to build a non-modular kernel, then proceed with the following +steps: + +1. Compile the ipset binaries + + # make KERNEL_DIR=<> binaries + +2. Install the ipset binaries + + # make KERNEL_DIR=<> binaries_install + +3. Patch your kernel source + + # make KERNEL_DIR=<> patch_kernel + +4. Go to the kernel source and run 'make oldconfig', enable the ipset + functionality and compile, install your kernel. + diff --git a/kernel/Kconfig.ipset b/kernel/Kconfig.ipset new file mode 100644 index 0000000..2c6022a --- /dev/null +++ b/kernel/Kconfig.ipset @@ -0,0 +1,116 @@ +config IP_NF_SET + tristate "IP set support" + depends on INET && NETFILTER + help + This option adds IP set support to the kernel. + In order to define and use sets, you need the userspace utility + ipset(8). + + To compile it as a module, choose M here. If unsure, say N. + +config IP_NF_SET_MAX + int "Maximum number of IP sets" + default 256 + range 2 65534 + depends on IP_NF_SET + help + You can define here default value of the maximum number + of IP sets for the kernel. + + The value can be overriden by the 'max_sets' module + parameter of the 'ip_set' module. + +config IP_NF_SET_HASHSIZE + int "Hash size for bindings of IP sets" + default 1024 + depends on IP_NF_SET + help + You can define here default value of the hash size for + bindings of IP sets. + + The value can be overriden by the 'hash_size' module + parameter of the 'ip_set' module. + +config IP_NF_SET_IPMAP + tristate "ipmap set support" + depends on IP_NF_SET + help + This option adds the ipmap set type support. + + To compile it as a module, choose M here. If unsure, say N. + +config IP_NF_SET_MACIPMAP + tristate "macipmap set support" + depends on IP_NF_SET + help + This option adds the macipmap set type support. + + To compile it as a module, choose M here. If unsure, say N. + +config IP_NF_SET_PORTMAP + tristate "portmap set support" + depends on IP_NF_SET + help + This option adds the portmap set type support. + + To compile it as a module, choose M here. If unsure, say N. + +config IP_NF_SET_IPHASH + tristate "iphash set support" + depends on IP_NF_SET + help + This option adds the iphash set type support. + + To compile it as a module, choose M here. If unsure, say N. + +config IP_NF_SET_NETHASH + tristate "nethash set support" + depends on IP_NF_SET + help + This option adds the nethash set type support. + + To compile it as a module, choose M here. If unsure, say N. + +config IP_NF_SET_IPPORTHASH + tristate "ipporthash set support" + depends on IP_NF_SET + help + This option adds the ipporthash set type support. + + To compile it as a module, choose M here. If unsure, say N. + +config IP_NF_SET_IPTREE + tristate "iptree set support" + depends on IP_NF_SET + help + This option adds the iptree set type support. + + To compile it as a module, choose M here. If unsure, say N. + +config IP_NF_SET_IPTREEMAP + tristate "iptreemap set support" + depends on IP_NF_SET + help + This option adds the iptreemap set type support. + + To compile it as a module, choose M here. If unsure, say N. + +config IP_NF_MATCH_SET + tristate "set match support" + depends on IP_NF_SET + help + Set matching matches against given IP sets. + You need the ipset utility to create and set up the sets. + + To compile it as a module, choose M here. If unsure, say N. + +config IP_NF_TARGET_SET + tristate "SET target support" + depends on IP_NF_SET + help + The SET target makes possible to add/delete entries + in IP sets. + You need the ipset utility to create and set up the sets. + + To compile it as a module, choose M here. If unsure, say N. + diff --git a/kernel/Makefile.ipset b/kernel/Makefile.ipset new file mode 100644 index 0000000..bb3c131 --- /dev/null +++ b/kernel/Makefile.ipset @@ -0,0 +1,14 @@ +# ipset +obj-$(CONFIG_IP_NF_SET) += ip_set.o +obj-$(CONFIG_IP_NF_SET_IPMAP) += ip_set_ipmap.o +obj-$(CONFIG_IP_NF_SET_PORTMAP) += ip_set_portmap.o +obj-$(CONFIG_IP_NF_SET_MACIPMAP) += ip_set_macipmap.o +obj-$(CONFIG_IP_NF_SET_IPHASH) += ip_set_iphash.o +obj-$(CONFIG_IP_NF_SET_NETHASH) += ip_set_nethash.o +obj-$(CONFIG_IP_NF_SET_IPPORTHASH) += ip_set_ipporthash.o +obj-$(CONFIG_IP_NF_SET_IPTREE) += ip_set_iptree.o +obj-$(CONFIG_IP_NF_SET_IPTREEMAP) += ip_set_iptreemap.o + +# match and target +obj-$(CONFIG_IP_NF_MATCH_SET) += ipt_set.o +obj-$(CONFIG_IP_NF_TARGET_SET) += ipt_SET.o diff --git a/kernel/patch_kernel b/kernel/patch_kernel new file mode 100755 index 0000000..f5b800b --- /dev/null +++ b/kernel/patch_kernel @@ -0,0 +1,41 @@ +#!/bin/bash + +# set -e + +kconfig() { + file=$1/net/ipv4/netfilter/Kconfig + if [ "`grep 'config IP_NF_SET' $file`" ]; then + return + fi + mv $file $file.orig + grep -v endmenu $file.orig > $file + cat Kconfig.ipset >> $file + echo "endmenu" >> $file +} + +makefile() { + file=$1/net/ipv4/netfilter/Makefile + if [ "`grep CONFIG_IP_NF_SET $file`" ]; then + return + fi + cp $file $file.orig + cat Makefile.ipset >> $file +} + +tree() { + cp include/linux/netfilter_ipv4/* $1/include/linux/netfilter_ipv4/ + cp *.c $1/net/ipv4/netfilter/ +} + +if [ -z "$1" ]; then + echo "Error: missing kernel directory parameter." + exit 1 +fi +if [ ! -f $1/net/ipv4/netfilter/Kconfig ]; then + echo "Error: the directory $1 doesn't look like a Linux 2.6.x kernel source tree." + exit 1 +fi + +tree $1 +kconfig $1 +makefile $1 -- cgit v1.2.3