设为首页收藏本站

LinuxSir.cn,穿越时空的Linuxsir!

 找回密码
 注册
搜索
热搜: shell linux mysql
LinuxSir.cn,穿越时空的Linuxsir!»论坛 运维技术 —— LinuxSir.cn 服务器架设、应用、维护 关于给内核打补丁(如加入ipp2p模块)的注意事项 ...
返回列表 发新帖
查看: 1165|回复: 3

关于给内核打补丁(如加入ipp2p模块)的注意事项

[复制链接]
发表于 2006-11-29 11:40:02 | 显示全部楼层 |阅读模式
最近在探讨打ipp2p补丁时发现的问题,有一些参考的帖子,都是用的05年的补丁,基本的步骤是一样的。

首先,补丁不要去下最新的,新的补丁未必有你需要的东西。

先看一下我的目录结构吧:

  2. debian:/usr/src# ls -l
  3. total 34612
  4. lrwxrwxrwx   1 root src         14 2006-11-29 10:06 iptables -> iptables-1.3.6
  5. drwxr-xr-x   6  500 users     4096 2006-09-29 00:45 iptables-1.3.6
  6. -rw-r--r--   1 root src     185438 2006-09-29 00:45 iptables-1.3.6.tar.bz2
  7. drwxr-xr-x  18 root root      4096 2006-09-07 09:10 kernel-source-2.6.8
  8. -rw-r--r--   1 root root  34880682 2006-09-07 09:12 kernel-source-2.6.8.tar.bz2
  9. lrwxrwxrwx   1 root src         19 2006-11-29 10:04 linux -> kernel-source-2.6.8
  10. drwxr-xr-x   5 5500  5100     4096 2006-07-02 05:55 patch-o-matic-ng-20060701
  11. -rw-r--r--   1 root src     162678 2006-11-29 10:13 patch-o-matic-ng-20060701.tar.bz2
  12. -rw-r--r--   1 root src     142287 2006-11-29 10:03 patch-o-matic-ng-20060808.tar.bz2
复制代码


在这里我使用的是20060701的补丁,用20060808的补丁发现没有ipp2p的模块。

至于补丁中都包含了什么模块,可以在解开补丁包的patchlets中查看,如:

  2. debian:/usr/src/patch-o-matic-ng-20060701/patchlets# ls
  3. config                  ipv4options           rsh
  4. connlimit               IPV4OPTSSTRIP         rtsp-conntrack
  5. conntrack_nonat         layer2-hooks          set
  6. directx8-conntrack-nat  mms-conntrack-nat     sip-conntrack-nat
  7. eggdrop-conntrack       msnp-conntrack-nat    talk-conntrack-nat
  8. IPMARK                  quake3-conntrack-nat  TARPIT
  9. ipp2p                   ROUTE                 time
  10. iprange                 rpc                   u32
复制代码

以上一个目录,对应一个模块。

之后打补丁了。这里没有用extra,而是只把我所需要的模块选上了,connlimit ipp2p iprange time,我只选了这四个,如下:

  2. debian:/usr/src/patch-o-matic-ng-20060701# KERNEL_DIR=/usr/src/linux IPTABLES_DIR=/usr/src/iptables ./runme connlimit ipp2p iprange time
  3. Loading patchlet definitions....................... done
  4. Welcome to Patch-o-matic ($Revision: 6577 $)!

  6. Kernel:   2.6.8, /usr/src/linux
  7. Iptables: 1.3.6, /usr/src/iptables
  8. Each patch is a new feature: many have minimal impact, some do not.
  9. Almost every one has bugs, so don't apply what you don't need!
  10. -------------------------------------------------------
  11. Already applied:

  13. Testing connlimit... not applied
  14. The connlimit patch:
  15.    Author: Gerd Knorr <kraxel@bytesex.org>
  16.    Status: ItWorksForMe[tm]

  18. This adds an iptables match which allows you to restrict the
  19. number of parallel TCP connections to a server per client IP address
  20. (or address block).

  22. Examples:

  24. # allow 2 telnet connections per client host
  25. iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT

  27. # you can also match the other way around:
  28. iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT

  30. # limit the nr of parallel http requests to 16 per class C sized
  31. # network (24 bit netmask)
  32. iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
  33.         --connlimit-mask 24 -j REJECT
  34. -----------------------------------------------------------------
  35. Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
  36. Welcome to Patch-o-matic ($Revision: 6577 $)!

  38. Kernel:   2.6.8, /usr/src/linux
  39. Iptables: 1.3.6, /usr/src/iptables
  40. Each patch is a new feature: many have minimal impact, some do not.
  41. Almost every one has bugs, so don't apply what you don't need!
  42. -------------------------------------------------------
  43. Already applied: connlimit

  45. Testing ipp2p... not applied
  46. The ipp2p patch:
  47.    Author: Eicke Friedrich <ipp2p@ipp2p.org>
  48.    Status: Stable

  50. This option makes possible to match some P2P packets
  51. therefore helps controlling such traffic. Dropping all
  52. matches prohibits P2P networks. Combined with conntrack,
  53. CONNMARK and a packet scheduler it can be used for
  54. accounting or shaping of P2P traffic.

  56. Examples:
  57. iptables -A FORWARD -m ipp2p --edk --kazaa --bit -j DROP
  58. iptables -A FORWARD -p tcp -m ipp2p --ares -j DROP
  59. iptables -A FORWARD -p udp -m ipp2p --kazaa -j DROP
  60. -----------------------------------------------------------------
  61. Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
  62. Welcome to Patch-o-matic ($Revision: 6577 $)!

  64. Kernel:   2.6.8, /usr/src/linux
  65. Iptables: 1.3.6, /usr/src/iptables
  66. Each patch is a new feature: many have minimal impact, some do not.
  67. Almost every one has bugs, so don't apply what you don't need!
  68. -------------------------------------------------------
  69. Already applied: connlimit ipp2p

  71. Testing iprange... applied
  72. Welcome to Patch-o-matic ($Revision: 6577 $)!

  74. Kernel:   2.6.8, /usr/src/linux
  75. Iptables: 1.3.6, /usr/src/iptables
  76. Each patch is a new feature: many have minimal impact, some do not.
  77. Almost every one has bugs, so don't apply what you don't need!
  78. -------------------------------------------------------
  79. Already applied: connlimit ipp2p iprange

  81. Testing time... not applied
  82. The time patch:
  83.    Author: Fabrice MARIE <fabrice@netfilter.org>
  84.    Status: Works within it's limitations


  87. This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module.
  88. This match allows you to filter based on the packet arrival time/date
  89. (arrival time/date at the machine which the netfilter is running on) or
  90. departure time/date (for locally generated packets).

  92. Supported options are:
  93. [ --timestart value ]
  94.     Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00).

  96. [ --timestop  value ]
  97.     Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59).

  99. [ --days listofdays ]
  100.     Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default

  102. everyday)

  104. [ --datestart date ]
  105.     Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
  106.     h,m,s start from 0 ; default to 1970)

  108. [ --datestop date ]
  109.     Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]]
  110.     h,m,s start from 0 ; default to 2037)

  112. Example:
  113.   -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri
  114.   will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday
  115.   to Friday.

  117.   -A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon --date-stop 2010
  118.   will match the packets (locally generated) that have a departure timestamp
  119.   in the range 8:00->18:00 on Monday only, until 2010

  121. NOTE: the time match does not track changes in daylight savings time
  122. -----------------------------------------------------------------
  123. Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y

  125. Excellent! Source trees are ready for compilation.

  127. Recompile the kernel image (if there are non-modular netfilter modules).
  128. Recompile the netfilter kernel modules.
  129. Recompile the iptables binaries.
复制代码


回答y就应用补丁了,看到最下面的信息,证明需要的补丁已经打上了。

后面的编译过程我就不做了。
回复

使用道具 举报

发表于 2006-11-30 10:55:12 | 显示全部楼层
很有参考价值,

BTW,我在kernel 下2.6.9给内核打mppc补丁时总是 patch 不成功,郁闷至极
回复 支持 反对

使用道具 举报

 楼主| 发表于 2006-11-30 12:14:07 | 显示全部楼层
打mppc的补丁我没有做过,不太清楚,我认为你选择的补丁要与内核版本一至,最好把你的出错信息发上来,让大家帮你看看,光说不成功,别人也不知道你问题出在哪里?
回复 支持 反对

使用道具 举报

发表于 2006-11-30 21:24:43 | 显示全部楼层
谢谢KING兄关心,

问题找出来了,CentOS 4.4系统,在系统自带的内核源文件下patch提示找到到xxx.c源文件,后在kernel.org中下载相关版的内核,并patch、编译成功了!!

谢谢!
回复 支持 反对

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表