Can I add a module to a prebuilt kernel?

Can I add a module to a prebuilt kernel?

[Jeff Gordon]

Forgive me if this is a frequent or recent question -- I've searched
various places and haven't found the answer, thus far.  I program in
Perl but not in C/C++.

I'm running a RH ES 3 system, and it appears _support_ for ipt_recent
is included in the kernel but libipt_recent.so is nowhere to be found.
Kernel source for the prebuilt kernel in the distribution is available.

Is there a simple way to build ipt_recent from source and have it
function with this kernel, without compiling a kernel from scratch?

Thanks kindly,

-- 

 -- Jeff --   <http://www.wellnow.com>

 "There's nothing left in the world to prove.  All that's worth doing
  is to love one another, using whatever means are available to serve."

Re: Can I add a module to a prebuilt kernel?

[Jeff Gordon]

On Wed, Jun 02, 2004 at 07:09:06PM +0200, Florian Boelstler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> Jeff Gordon wrote:
> > I'm running a RH ES 3 system, and it appears _support_ for ipt_recent
> > is included in the kernel but libipt_recent.so is nowhere to be found.
> > Kernel source for the prebuilt kernel in the distribution is available.
> 
> In general, if a kernel feature is built into the kernel there is no
> appropriate module file. Because the functionality is in the kernel.


(Thanks, Florian. :-)  Here's what I'm seeing:

 - If I do 'modprobe ipt_recent' and then 'lsmod |grep ip',
   I see 'ipt_recent' at the top of listing.
 
 - However, if I then add a rule with '-m recent' in it,
   iptables complains it can't find libipt_recent.so.


> > Is there a simple way to build ipt_recent from source and have it
> > function with this kernel, without compiling a kernel from scratch?
> 
> I never tried it, but if you got an appropriate kernel config for your
> running kernel you could start by "make modules && make modules_install"
> (regarding 2.4.x series)
> 
> This only works of course if
> - - you just miss the module file
> - - it is _not_ build into the kernel
> - - and your kernel is prepared to load that feature through a module


I guess I don't know. :-)  The result of 'modprobe' seems to suggest
the kernel understands what I'm saying -- but iptables expects to find
a loadable file that isn't present.  Should I be thinking to leave the
kernel as-is but compile iptables itself from scratch...?  Details:

iptables v1.2.8

/lib/modules/2.4.21-15.ELsmp/kernel/net/ipv4/netfilter/ipt_recent.o

...but no /lib/iptables/libipt_recent.so

> Good luck,

(Thanks. :-)

-- 

 -- Jeff --   <http://www.wellnow.com>

 "There's nothing left in the world to prove.  All that's worth doing
  is to love one another, using whatever means are available to serve."

Re: Can I add a module to a prebuilt kernel?

[Martin Stricker]

Jeff Gordon wrote:

> I'm running a RH ES 3 system, and it appears _support_ for ipt_recent
> is included in the kernel but libipt_recent.so is nowhere to be
> found. Kernel source for the prebuilt kernel in the distribution is
> available.
> 
> Is there a simple way to build ipt_recent from source and have it
> function with this kernel, without compiling a kernel from scratch?

Yes. You can use the module from another computer, given it was compiled
for the exactly same kernel version, using the same compiler and
compiler flags.

Usually, on a given system, all you have to do is make config or make
menuconfig, add the module you want as module (M), end the kernel
configuration, and do a make modules (maybe also a make modules install,
but maybe you would rather copy the module by hand and add it to the
modules.conf).

Best regards,
Martin Stricker
-- 
Homepage: http://www.martin-stricker.de/
Linux Migration Project: http://www.linux-migration.org/
Red Hat Linux 9 for low memory: http://www.rule-project.org/
Registered Linux user #210635: http://counter.li.org/

Re: Can I add a module to a prebuilt kernel?

[Florian Boelstler]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Jeff Gordon wrote:

>> I'm running a RH ES 3 system, and it appears _support_ for ipt_recent
>> is included in the kernel but libipt_recent.so is nowhere to be found.
>> Kernel source for the prebuilt kernel in the distribution is available.


In general, if a kernel feature is built into the kernel there is no
appropriate module file. Because the functionality is in the kernel.



>> Is there a simple way to build ipt_recent from source and have it
>> function with this kernel, without compiling a kernel from scratch?


I never tried it, but if you got an appropriate kernel config for your
running kernel you could start by "make modules && make modules_install"
(regarding 2.4.x series)

This only works of course if
- - you just miss the module file
- - it is _not_ build into the kernel
- - and your kernel is prepared to load that feature through a module

Good luck,

  Florian


- --
Public PGP key is available on common key servers.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFAvlDzwT2gPfZm6tURAi53AJ49iNNxVbwpHYvnKDj95T3XcW8PTgCeI4oJ
o+djvtT7/l+eAfDttdl4JvQ=
=OXnQ
-----END PGP SIGNATURE-----

Re: Can I add a module to a prebuilt kernel?

[Jozsef Kadlecsik]

On Wed, 2 Jun 2004, Jeff Gordon wrote:

> > Jeff Gordon wrote:
> > > I'm running a RH ES 3 system, and it appears _support_ for ipt_recent
> > > is included in the kernel but libipt_recent.so is nowhere to be found.
> > > Kernel source for the prebuilt kernel in the distribution is available.
> >
> > In general, if a kernel feature is built into the kernel there is no
> > appropriate module file. Because the functionality is in the kernel.
>
>  - If I do 'modprobe ipt_recent' and then 'lsmod |grep ip',
>    I see 'ipt_recent' at the top of listing.
>
>  - However, if I then add a rule with '-m recent' in it,
>    iptables complains it can't find libipt_recent.so.

That's the iptables shared library for recent match, which is missing from
your systems. In other words the iptables binary lacks the recent match
support and thus you cannot use the feature available in the kernel.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: Can I add a module to a prebuilt kernel?

[Jeff Gordon]

(Thanks, Joseph.:-)  

So I obtained the iptables-1.2.9 source package and compiled it.

On 'make install', however I found libipt_recent.so was NOT placed into
the loadable modules directory...!

I don't know if that has something to do with its being a RedHat
system, or if it's something omitted from iptables' own config or
Makefile.  Either way -- I moved it there manually, and things appear
to be working as intended, now. :-)

Thanks kindly to the several folks who offered thoughts and assistance
on this.  I'll come back in a separate message with a question about
using either '--limit' or '-m recent' to address SYN floods.

 -- Jeff --

On Thu, Jun 03, 2004 at 09:52:26AM +0200, Jozsef Kadlecsik wrote:
> On Wed, 2 Jun 2004, Jeff Gordon wrote:
> 
> > > Jeff Gordon wrote:
> > > > I'm running a RH ES 3 system, and it appears _support_ for ipt_recent
> > > > is included in the kernel but libipt_recent.so is nowhere to be found.
> > > > Kernel source for the prebuilt kernel in the distribution is available.
> > >
> > > In general, if a kernel feature is built into the kernel there is no
> > > appropriate module file. Because the functionality is in the kernel.
> >
> >  - If I do 'modprobe ipt_recent' and then 'lsmod |grep ip',
> >    I see 'ipt_recent' at the top of listing.
> >
> >  - However, if I then add a rule with '-m recent' in it,
> >    iptables complains it can't find libipt_recent.so.
> 
> That's the iptables shared library for recent match, which is missing from
> your systems. In other words the iptables binary lacks the recent match
> support and thus you cannot use the feature available in the kernel.
> 
> Best regards,
> Jozsef
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : KFKI Research Institute for Particle and Nuclear Physics
>           H-1525 Budapest 114, POB. 49, Hungary
> 
> 
> 

-- 

 -- Jeff --   <http://www.wellnow.com>

 "There's nothing left in the world to prove.  All that's worth doing
  is to love one another, using whatever means are available to serve."

Best defense for syn-floods...?

[Jeff Gordon]

Now that I've got ipt_recent installed and running, I'd be grateful for
comments or rule samples that could work best to ameliorate syn-floods.
(The site I'm working on has been the target of moderate-to-large-sized
syn-floods for a few months now, ongoing.)

I've been using this approach:

-N syn-flood
-A syn-flood -m limit --limit 6/s --limit-burst 10 -j RETURN
-A syn-flood -j LOG --log-prefix "SYN-FLOOD: "
-A syn-flood -j DROP

-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -i eth0 -p tcp --syn -j syn-flood

...and, on the high-traffic site involved, have had occasions when the
machine became unreachable, the server load too high.

Someone suggested ipt_recent could handle this matter more accurately. 
I found a rule on the web that someone was using, and tried that a few
minutes ago, with this approach:

-N syn-flood
-A syn-flood -j LOG --log-prefix "SYN-FLOOD: "
-A syn-flood -j DROP

-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -i eth0 -p tcp --syn -m recent --hitcount 10 --update \
   --seconds 60 -j syn-flood

...but very soon _no one_ could get a server connection, with that.

My 'mental model' of how ipt_recent is working must not be correct --
at least, I don't understand why the '--limit' ruleset seems to allow
normal traffic under most conditions but the '-m recent' rule kept
normal users from getting in, just a few minutes ago.

If anyone knows what I'm missing in my understanding of this, or has a
ruleset that works well to ameliorate syn-flooding, please let me know.

Thanks kindly,

-- 

 -- Jeff --   <http://www.wellnow.com>

 "There's nothing left in the world to prove.  All that's worth doing
  is to love one another, using whatever means are available to serve."

Re: Can I add a module to a prebuilt kernel?

[Jozsef Kadlecsik]

On Thu, 3 Jun 2004, Jeff Gordon wrote:
>
> So I obtained the iptables-1.2.9 source package and compiled it.
>
> On 'make install', however I found libipt_recent.so was NOT placed into
> the loadable modules directory...!

The compilation process of the iptables binary will include whatsoever is
supported in the kernel *source* it was told to look at it. So if the
kernel source does not contain the recent module, it won't be supported
by iptables either.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary