Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
[root@jin iptables-1.2.9]# make KERNEL_DIR=/usr/src/linux-2.6.5-1.358
In file included from /usr/src/linux-2.6.5-1.358/include/linux/netfilter_ipv4.h:8,
from /usr/src/linux-2.6.5-1.358/include/linux/netfilter_ipv4/ip_tables.h:25,
from include/libiptc/libiptc.h:6,
from include/iptables.h:5,
from extensions/libipt_layer7.c:26:
/usr/src/linux-2.6.5-1.358/include/linux/config.h:6:2: #error including kernel header in userspace; use the glibc headers instead!
Extensions found: IPv4:layer7 IPv4:recent IPv6:ah IPv6:esp IPv6:frag IPv6:ipv6header IPv6:hbh IPv6:dst IPv6:rt
cc -O2 -Wall -Wunused -I/usr/src/linux-2.6.5-1.358/include -Iinclude/ -DIPTABLES_VERSION=\"1.2.9\" -fPIC -o extensions/libipt_layer7_sh.o -c extensions/libipt_layer7.c
In file included from /usr/src/linux-2.6.5-1.358/include/linux/netfilter_ipv4.h:8,
from /usr/src/linux-2.6.5-1.358/include/linux/netfilter_ipv4/ip_tables.h:25,
from include/libiptc/libiptc.h:6,
from include/iptables.h:5,
from extensions/libipt_layer7.c:26:
/usr/src/linux-2.6.5-1.358/include/linux/config.h:6:2: #error including kernel h eader in userspace; use the glibc headers instead!
make: *** [extensions/libipt_layer7_sh.o] Error 1
[root@jin iptables-1.2.9]# make install KERNEL_DIR=/usr/src/linux-2.6.5-1.358
cc -O2 -Wall -Wunused -I/usr/src/linux-2.6.5-1.358/include -Iinclude/ -DIPTABLES _VERSION=\"1.2.9\" -fPIC -o extensions/libipt_layer7_sh.o -c extensions/libipt _layer7.c
In file included from /usr/src/linux-2.6.5-1.358/include/linux/netfilter_ipv4.h: 8,
from /usr/src/linux-2.6.5-1.358/include/linux/netfilter_ipv4/ip _tables.h:25,
from include/libiptc/libiptc.h:6,
from include/iptables.h:5,
from extensions/libipt_layer7.c:26:
/usr/src/linux-2.6.5-1.358/include/linux/config.h:6:2: #error including kernel h eader in userspace; use the glibc headers instead!
make: *** [extensions/libipt_layer7_sh.o] Error 1
[root@jin weejin]# ./bandwidthSc4.sh
stopping tc for eth0 failed (was probably already stopped)
stopping tc for eth1 failed (was probably already stopped)
Packets matching "port = 80" will be shaped to 40kbps.
Packets matching "layer7 = ftp" will be shaped to 20kbps.
iptables v1.2.11: Couldn't load match `layer7':/usr/local/lib/iptables/libipt_layer7.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
[ip|eb]tables failed at line 110
tc has now stopped for eth0
tc has now stopped for eth1
May i know what error is that? and what i can do to solve this problem???
thanks...
//Mod note: In the future, please do not post a new thread asking the same question. If your thread hasn't been replied to, please wait at least 24 hours and then just reply to your own thread (aka "bumping it"). Thanks.
Last edited by Capt_Caveman; 01-14-2005 at 10:11 PM.
I think I see what's wrong. After you patch the kernel source, you need to actually compile the kernel before patching and building netfilter. If you don't, then it can't find the proper kernel headers and you get those weird errors about kernel headers in userland. So make sure that you are doing the following:
1. Download kernel source
- make sure that it's kernel source not a precompiled binary or rpm
2. Unpack kernel
3. Patch kernel source using the kernel-layer patch
- if you are using kernel earlier than 2.6.9, you need to use the old patches
4. Compile kernel
- configure kernel using make menuconfig or make xconfig (make sure to select layer7 options)
-make kernel and modules and install
5. patch Netfilter with the iptables-layer7 patch
6. Make extensions/.layer7-test executable
7. compile netfiler with KERNEL_DIR set to path of the kernel dir you built in step 4
That protocol worked for me and the only way I could duplicate the kernel headers in userspace error was by not building the kernel before you try and compile the patched netfilter. If that isn't the cause, you might want to email the layer7 maintainer or send a msg to their mailing list (?)
Last edited by Capt_Caveman; 01-16-2005 at 03:02 AM.
First of all....THANKS to Capt_Caveman. cause the previos problem was solved.
Now is the following question.
[root@jin weejin]# ./bandwidthSc4.sh
stopping tc for eth0 failed (was probably already stopped)
stopping tc for eth1 failed (was probably already stopped)
Packets matching "port = 80" will be shaped to 1kbps.
Packets matching "layer7 = ftp" will be shaped to 20kbps.
iptables: No chain/target/match by that name
[ip|eb]tables failed at line 110
tc has now stopped for eth0
tc has now stopped for eth1
why this kind of problem occured??No chain/target/match by that name
i have copied the protocol definition to etc/l7-protocols.
what error is that??
[ip|eb]tables failed at line 110
One more thing...
why other people can see this kind of message while type the tail -f /var/log/messages
but i cant see it??( i m in bridging mode already)
while i only can see this after i fire the tail -f /var/log/messages command.
Jan 16 17:15:36 jin xinetd: xinetd shutdown failed
Jan 16 17:15:36 jin acpid: acpid shutdown succeeded
Jan 16 17:15:36 jin crond: crond shutdown succeeded
Jan 16 17:15:36 jin dd: 1+0 records in
Jan 16 17:15:36 jin dd: 1+0 records out
Jan 16 17:15:36 jin random: Saving random seed: succeeded
Jan 16 17:15:36 jin nfslock: rpc.statd shutdown succeeded
Jan 16 17:15:37 jin portmap: portmap shutdown succeeded
Jan 16 17:15:38 jin syslog: klogd shutdown succeeded
Jan 16 17:15:38 jin syslogd: exiting on signal 15
You shouldn't need to. In the 2.6 kernel series, running 'make install' will perform all those actions (copy kernel bzimage and new system.map to /boot , mkinitrd, etc). So you should normally just need to:
Configure new kernel (make menuconfig or make xconfig)
Compile kernel (make or make bzimage)
Install modules (make modules_install)
Install new kernel, system.map, initrd (make install)
Thanks for giving me so many useful information....
Now..how about the previous message i posted??
Why this kind of problem occured?
iptables: No chain/target/match by that name
[ip|eb]tables failed at line 110
is it something wrong with my l7-protocols?
i copy all the protocol to etc/l7protocol.
Originally posted by joirnange
[B]
iptables: No chain/target/match by that name
[ip|eb]tables failed at line 110 what error is that??
[ip|eb]tables failed at line 110
I assume it's failing here:
if [ $type = "layer7" ]; then
iptables -t mangle -A POSTROUTING -m layer7 --l7proto $arg -j MARK --set-mark $n
which likely means the -m layer7 --l7 proto $arg is not being recognized. During the kernel config process (make menuconfig / make xconfig) did you select each of the required Netfilter options:
Quote:
"Enable EXPERIMENTAL (Code maturity level options → Prompt for development and/or incomplete code/drivers).
Enable Netfilter (Device Drivers → Networking support → Networking Options → Network packet filtering). Then enable connection tracking (Network packet filtering → IP: Netfilter Configuration → Connection tracking). On that screen, also enable "Connection tracking flow accounting" and "IP tables support".
Enable "Layer 7 match support".
If not, then you will need to recompile the kernel with all the above options selected.
You could lso be getting that error if you did not perform 'make install' after compiling iptables with the netfilter-layer7 patch.
One more thing...
why other people can see this kind of message while type the tail -f /var/log/messages
but i cant see it??( i m in bridging mode already)
"Enable EXPERIMENTAL (Code maturity level options → Prompt for development and/or incomplete code/drivers).
Enable Netfilter (Device Drivers → Networking support → Networking Options → Network packet filtering). Then enable connection tracking (Network packet filtering → IP: Netfilter Configuration → Connection tracking). On that screen, also enable "Connection tracking flow accounting" and "IP tables support".
Enable "Layer 7 match support".
then make follow by make modules then make modules_install
In the iptable:
i have do this:
patch -p1 <iptableLayer7.patch
make KERNEL_DIR=/home/joirnange/linux2.6.10
make install KERNEL_DIR=/home/joirnange/linux2.6.10
thats all i do for iptable
then i copy the protocol to etc/l7protocols
HOW TO INSTALL THE PROTOCOL?
WHAT SHOULD I DO AFTER DOWNLOAD THE PROTOCOL?
it only say :
Uncompress the "Protocol Definitions" package and make the resulting directory /etc/l7-protocols
If that is correct, try trouble shooting step-by-step:
First just try using a single iptables rule that uses the l7 match like this:
iptables -t mangle -A POSTROUTING -m layer7 --l7proto http -j ACCEPT
If you get error "Couldn't find a pattern definition file for http", then the protocols aren't in the proper place.
If you get a "chain/target/match not found" then there is somerting with the kernel or iptables. In that case, you may not have booted into the new kernel (try uname -a) to see what you are currently in. The kernel make install process doesn't install the new kernel as the default.
If you get an error "/usr/local/lib/iptables/libipt_layer7.so: : cannot open shared object file: No such file or directory" then there is a problem with the iptables install process. Verify that /usr/local/lib/iptables/libipt_layer7.so exists
Yep, looks like it's booting the wrong kernel. If you didn't get any error messages during the 'make install' process, then you just may need to select the proper kernel during the boot process. When you reboot, there should be an option for the 2.6.5-1.358 kernel in the grub or lilo menu, make sure that it is selected. If you don't see that option, then take a look at /etc/grub.conf or /etc/lilo.conf and make sure that the new kernel is being added.
As a side note, why aren't you using a more recent kernel? There have been several kernel bugs identified in the last few weeks, so you should be using something newer or at least patching those bugs.
i find this error when i try to make install again..
[root@jin linux-2.6.10]# make install
CHK include/linux/version.h
make[1]: `arch/i386/kernel/asm-offsets.s' is up to date.
CHK include/linux/compile.h
CHK usr/initramfs_list
CC net/ipv4/netfilter/ipt_layer7.o
net/ipv4/netfilter/ipt_layer7.c:
In function `match_no_append':
net/ipv4/netfilter/ipt_layer7.c:243:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:257:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:258:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:263:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:264:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:268:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:269:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:270:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:276:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:
In function `add_data':
net/ipv4/netfilter/ipt_layer7.c:290:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:297:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:304:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:305:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:
In function `match':
net/ipv4/netfilter/ipt_layer7.c:358:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:364:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:365:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:366:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:372:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:377:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:378:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:390:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:407:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:414:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:415:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:421:
error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:
At top level:
net/ipv4/netfilter/ipt_layer7.c:441: warning: initialization from incompatible pointer type
make[3]: *** [net/ipv4/netfilter/ipt_layer7.o] Error 1
make[2]: *** [net/ipv4/netfilter] Error 2
make[1]: *** [net/ipv4] Error 2
make: *** [net] Error 2
what errors is that??
how to solve it??
thanks....
Are you using the correct layer7 patch? If you are using a kernel older than 2.6.9 (which you were using) you need to use the kernel-2.6-layer7-0.9.1.patch from the "for_older_kernels" directory. Since you are now using 2.6.10, then you need to patch with kernel-2.6-layer7-1.0.patch. Also make sure that you've configured it properly in menuconfig/xconfig (maybe you forgot to enable the layer7 option). If you've done all that, then I don't know what the problem is. 2.6.10 does compile and work properly with the layer7 patches, so you need to go through all the instructions properly and make sure you are doing everything correctly.
Last edited by Capt_Caveman; 01-17-2005 at 08:35 AM.
is it i have to create a chain in iptable.??
this is what my friend told me...now i have download the kernel-2.6-layer7-1.0.patch and "make" ....
but the error is the same.....
[root@jin linux-2.6.10]# make
CHK include/linux/version.h
SPLIT include/linux/autoconf.h -> include/config/*
make[1]: `arch/i386/kernel/asm-offsets.s' is up to date.
CHK include/linux/compile.h
CHK usr/initramfs_list
CC net/ipv4/netfilter/ip_conntrack_standalone.o
CC net/ipv4/netfilter/ip_conntrack_core.o
CC net/ipv4/netfilter/ip_conntrack_proto_generic.o
CC net/ipv4/netfilter/ip_conntrack_proto_tcp.o
CC net/ipv4/netfilter/ip_conntrack_proto_udp.o
CC net/ipv4/netfilter/ip_conntrack_proto_icmp.o
LD net/ipv4/netfilter/ip_conntrack.o
CC net/ipv4/netfilter/ip_conntrack_ftp.o
CC net/ipv4/netfilter/iptable_filter.o
CC net/ipv4/netfilter/ipt_mark.o
CC net/ipv4/netfilter/ipt_pkttype.o
CC net/ipv4/netfilter/ipt_addrtype.o
CC net/ipv4/netfilter/ipt_layer7.o
net/ipv4/netfilter/ipt_layer7.c: In function `match_no_append':
net/ipv4/netfilter/ipt_layer7.c:243: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:257: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:258: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:263: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:264: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:268: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:269: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:270: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:276: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c: In function `add_data':
net/ipv4/netfilter/ipt_layer7.c:290: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:297: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:304: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:305: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c: In function `match':
net/ipv4/netfilter/ipt_layer7.c:358: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:364: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:365: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:366: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:372: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:377: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:378: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:390: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:407: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:414: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:415: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c:421: error: structure has no member named `layer7'
net/ipv4/netfilter/ipt_layer7.c: At top level:
net/ipv4/netfilter/ipt_layer7.c:441: warning: initialization from incompatible pointer type
make[3]: *** [net/ipv4/netfilter/ipt_layer7.o] Error 1
make[2]: *** [net/ipv4/netfilter] Error 2
make[1]: *** [net/ipv4] Error 2
make: *** [net] Error 2
i have download the patch-2.6.10.bz2 and patch to the kernel
but there is there anyway to skip answer those question???( alot of questio)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.