124 lines
5.1 KiB
HTML
124 lines
5.1 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>Divert Sockets mini-HOWTO: Getting and Compiling the Source Code</TITLE>
|
|
<LINK HREF="Divert-Sockets-mini-HOWTO-6.html" REL=next>
|
|
<LINK HREF="Divert-Sockets-mini-HOWTO-4.html" REL=previous>
|
|
<LINK HREF="Divert-Sockets-mini-HOWTO.html#toc5" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="Divert-Sockets-mini-HOWTO-6.html">Next</A>
|
|
<A HREF="Divert-Sockets-mini-HOWTO-4.html">Previous</A>
|
|
<A HREF="Divert-Sockets-mini-HOWTO.html#toc5">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="s5">5. Getting and Compiling the Source Code</A></H2>
|
|
|
|
<P>In order to use divert sockets under Linux you will
|
|
need two things - the kernel source code that has been
|
|
patched for divert sockets and the source code to ipchains-1.3.9
|
|
that, also, has been patched to use divert sockets.
|
|
<P>
|
|
<H2><A NAME="ss5.1">5.1 Getting *The Source*</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<A NAME="kernel"></A> Both pieces of source code can be retrieved from the divert socket
|
|
web-site
|
|
<A HREF="http://www.anr.mcnc.org/~divert">http://www.anr.mcnc.org/~divert</A>
|
|
You can get the source code for divert sockets kernel in two
|
|
forms - as a patch to linux-2.2.12 that you have to apply to a
|
|
fresh 2.2.12 source, or as an already patched kernel tarball (much larger
|
|
than the patch). <EM>ipchains</EM> source is provided as complete source
|
|
tarball only.
|
|
<P>
|
|
<H2><A NAME="ss5.2">5.2 Compiling </A>
|
|
</H2>
|
|
|
|
<P>Compiling <EM>ipchains</EM> is straightforward - simply say
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
make
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
in the ipchains-1.3.9 subdirectory.
|
|
<P>
|
|
<P>When compiling the divert-socket kernel - use your favorite way
|
|
of configuring it:
|
|
<BLOCKQUOTE><CODE>
|
|
<PRE>
|
|
make config
|
|
</PRE>
|
|
or
|
|
<PRE>
|
|
make menuconfig
|
|
</PRE>
|
|
or
|
|
<PRE>
|
|
make xconfig
|
|
</PRE>
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
Don't forget to enable "Prompt for development and/or incomplete code/drivers"
|
|
before proceeding. There are only three compile-time options that affect the
|
|
behavior of divert sockets and they are explained in
|
|
the following
|
|
<A HREF="#comp-time">section</A><P>
|
|
<H3><A NAME="comp-time"></A> Kernel compile-time options</H3>
|
|
|
|
<P>In order to enable divert sockets in your kernel you must enable
|
|
firewalling and IP firewalling first. The three kernel compile-time
|
|
options that affect the behavior of divert sockets are:
|
|
<DL>
|
|
<DT><B>IP: divert sockets</B><DD><P>Enables the divert sockets in your kernel.
|
|
<DT><B>IP: divert pass-through</B><DD><P>
|
|
<A NAME="passthru"></A> Changes the behavior of DIVERT rules:
|
|
by default if a DIVERT rule is present in a firewall and no application
|
|
is listening on the port that the rule specifies, any packet that satisfies
|
|
the rule is silently dropped, as if it were a DENY rule.
|
|
<P>Enabling the pass-through mode results in such packets continuing
|
|
their way through the IP stack as if nothing happened. This could be helpful
|
|
if you want to have a static rule in the firewall, but don't always want
|
|
to listen on it.
|
|
<DT><B>IP: always defragment</B><DD><P>Changes the way that the sockets deal with
|
|
fragmentation. By default the divert socket receives individual fragments
|
|
of packets that are larger than MTU, which it then forwards to user space.
|
|
The burden of defragmentation in this case lies with the application listening
|
|
on the divert socket. Also, an application cannot inject any fragments that
|
|
are larger than MTU, because they will be dropped (this is the limitation
|
|
of the kernel, not the divert sockets - Linux kernels up to 2.2.x do NOT
|
|
fragment raw packets with IP_HDRINCL option set). Typically, thats OK,
|
|
since if you simply reinject the fragments the way you received them,
|
|
everything will work fine, since none of them are going to be larger
|
|
than MTU.
|
|
<P>If you enable the <EM>always defragment</EM> option, then all the defragmentation
|
|
will be done for you in the kernel. This severely affects the performance of
|
|
the interception mechanism, since now every large packet you want intercepted
|
|
will first have to be reassembled prior to being forwarded to you, and then,
|
|
if you choose to reinject it - it will have to be fragmented again (the kernel
|
|
with this option will be enabled to fragment raw packets with IP_HDRINCL)
|
|
<P>
|
|
<P>This was the only option available for divert sockets under Linux 2.0.36
|
|
because of the way the firewall code was structured - it only looked at the
|
|
first fragment of every packet and passed all other fragments without looking
|
|
at them. This way, if the first fragment were dropped by the firewall, the
|
|
rest of them would be eventually discarded by the defragmenter. That's why
|
|
in order for DIVERT sockets to work you were forced to compile the <EM>always
|
|
defragment</EM> option in, so that you would always get the whole packet diverted
|
|
to you and not just the first fragment.
|
|
<P>
|
|
<P>In 2.2.12, thanks to changes in the firewall code you now have an option of
|
|
having the kernel or yourself doing fragmentation/defragmentation.
|
|
<P>
|
|
<P><B>NOTE:</B> the defragmentation feature has not been added as of release 1.0.4
|
|
of divert sockets. It is in the works though.
|
|
</DL>
|
|
<P>
|
|
<HR>
|
|
<A HREF="Divert-Sockets-mini-HOWTO-6.html">Next</A>
|
|
<A HREF="Divert-Sockets-mini-HOWTO-4.html">Previous</A>
|
|
<A HREF="Divert-Sockets-mini-HOWTO.html#toc5">Contents</A>
|
|
</BODY>
|
|
</HTML>
|