如何移植iptables1.4.9到Tiny6410_Linux2.6.38内核
版权声明:对于本博客所有原创文章,允许个人、教育和非商业目的使用,但务必保证文章的完整性且不作任何修改地以超链接形式注明原始作者、出处及本声明。
博客地址:http://blog.csdn.net/shuxiao9058
原始作者:季亚
一、 建立交叉编译环境
在Linux平台下,要为开发板(Tiny6410等)开发程序,编译内核等操作时,均需要交叉编译工具链,我们使用的是arm-linux-gcc-4.5.1,它默认采用arm-v6指令集,支持硬浮点运算,下面是安装它的详细步骤:
Step1: 下载arm-linux-gcc-4.5.1,并将其拷贝至Linux下任意目录位置(如/tmp/linux),打开终端切换到该位置,执行解压命令(注意:C后面有个空格,并且C是大写的,它是英文单词“change”的第一个字母,在此是改变目录的意思):
arm-linux-gcc-4.5.1下载地址:http://115.com/file/e6au07fx#
执行如下命令:
[root@localhost ~]# cd /tmp/linux/
[root@localhost linux]# ls
arm-linux-gcc-4.5.1-v6-vfp-20101103.tgz mktools-20110720.tar.gz
arm-qte-4.7.0-20101105.tar.gz rootfs_qtopia_qt4-20111018.tgz
arm-qt-extended-4.4.3-20101105.tgz rootfs_qtopia_qt4-s-20111018.tgz
arm-qtopia-20101105.tar.gz u-boot-mini6410-20111018.tar.gz
busybox-1.17.2-20101120.tgz x86-qte-4.6.1-20100201.tar.gz
examples-mini6410-20110104.tgz x86-qt-extended-4.4.3-20101003.tgz
linux-2.6.28.6-20101007.tar.gz x86-qtopia-20100420.tar.gz
linux-2.6.38-20110718.tar.gz 说明.txt
logomaker.tgz
[root@localhost linux]# tar xzvf arm-linux-gcc-4.5.1-v6-vfp-20101103.tgz -C /执行以上命令,将把arm-linux-gcc安装到/opt/FriendlyARM/toolschain/4.5.1目录下。
Step2:把编译器路径加入系统环境变量,可以运行如下命令:
[root@localhost linux]# echo "export PATH=$PATH:/opt/FriendlyARM/toolschain/4.5.1/bin" >> ~/.bashrc也可以运行如下命令,修改~/.bashrc这个文件:
[root@localhost /]# vi ~/.bashrc
# .bashrc
# User specific aliases and functions
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
export PATH=$PATH:/opt/FriendlyARM/toolschain/4.5.1/bin修改完毕后记得要保存。
测试:重新登录系统(不必重启机器,开始->logout 或者重新打开终端即可),使以上设置生效,在命令行输入arm-linux-gcc -v,会出现如下信息,这说明交叉编译环境已经成功安装。
[root@localhost /]# arm-linux-gcc -v
Using built-in specs.
COLLECT_GCC=arm-linux-gcc
COLLECT_LTO_WRAPPER=/opt/FriendlyARM/toolschain/4.5.1/libexec/gcc/arm-none-linux-gnueabi/4.5.1/lto-wrapper
Target: arm-none-linux-gnueabi
Configured with: /work/toolchain/build/src/gcc-4.5.1/configure --build=i686-build_pc-linux-gnu --host=i686-build_pc-linux-gnu --target=arm-none-linux-gnueabi --prefix=/opt/FriendlyARM/toolschain/4.5.1 --with-sysroot=/opt/FriendlyARM/toolschain/4.5.1/arm-none-linux-gnueabi/sys-root --enable-languages=c,c++ --disable-multilib --with-cpu=arm1176jzf-s --with-tune=arm1176jzf-s --with-fpu=vfp --with-float=softfp --with-pkgversion=ctng-1.8.1-FA --with-bugurl=http://www.arm9.net/ --disable-sjlj-exceptions --enable-__cxa_atexit --disable-libmudflap --with-host-libstdcxx='-static-libgcc -Wl,-Bstatic,-lstdc++,-Bdynamic -lm' --with-gmp=/work/toolchain/build/arm-none-linux-gnueabi/build/static --with-mpfr=/work/toolchain/build/arm-none-linux-gnueabi/build/static --with-ppl=/work/toolchain/build/arm-none-linux-gnueabi/build/static --with-cloog=/work/toolchain/build/arm-none-linux-gnueabi/build/static --with-mpc=/work/toolchain/build/arm-none-linux-gnueabi/build/static --with-libelf=/work/toolchain/build/arm-none-linux-gnueabi/build/static --enable-threads=posix --with-local-prefix=/opt/FriendlyARM/toolschain/4.5.1/arm-none-linux-gnueabi/sys-root --disable-nls --enable-symvers=gnu --enable-c99 --enable-long-long
Thread model: posix
gcc version 4.5.1 (ctng-1.8.1-FA)
[root@localhost /]# 二、 重新配置编译内核,使其支持netfilter
Netfilter是内核态提供的包过滤框架,其中包含了各种各样的过滤表,默认的内核配置一般不包含这个框架,所以我们要先配置内核选项让其支持netfilte才行。
首先我们需要把友善官方提供的Linux内核源码解压到Linux下指定目录(/opt/FriendlyARM/mini6410/linux/),然后切换到该目录下,会发现多了一个linux-2.6.38文件夹:
[root@localhost /]# cd /opt/FriendlyARM/mini6410/linux/
[root@localhost linux]# ls
arm-qte-4.7.0 busybox-1.17.2 rootfs_qtopia_qt4 x86-qt-extended-4.4.3
arm-qt-extended-4.4.3 examples u-boot-mini6410 x86-qtopia
arm-qtopia linux-2.6.38 x86-qte-4.6.1
[root@localhost linux]# [root@localhost linux]# cd linux-2.6.38/
[root@localhost linux-2.6.38]# make distclean
CLEAN .
CLEAN arch/arm/kernel
CLEAN drivers/tty/vt
CLEAN drivers/video/logo
CLEAN firmware
CLEAN kernel
CLEAN lib
CLEAN usr
CLEAN arch/arm/boot/compressed
CLEAN arch/arm/boot
CLEAN .tmp_versions
CLEAN vmlinux System.map .tmp_kallsyms1.o .tmp_kallsyms1.S .tmp_kallsyms2.o .tmp_kallsyms2.S .tmp_vmlinux1 .tmp_vmlinux2 .tmp_System.map
CLEAN scripts/basic
CLEAN scripts/kconfig
CLEAN scripts/mod
CLEAN scripts
CLEAN include/config include/generated
CLEAN .config .config.old .version include/linux/version.h Module.symvers
[root@localhost linux-2.6.38]# ls
arch config_mini6410_x35 lib
block COPYING MAINTAINERS
config_mini6410_a70 CREDITS Makefile
config_mini6410_ezvga crypto mm
config_mini6410_g10 Documentation net
config_mini6410_l80 drivers README
config_mini6410_n43 firmware REPORTING-BUGS
config_mini6410_s70 fs samples
config_mini6410_t35 include scripts
config_mini6410_vga1024x768 init security
config_mini6410_vga640x480 ipc sound
config_mini6410_vga800x600 Kbuild tools
config_mini6410_w35 Kconfig usr
config_mini6410_w50 kernel virt
[root@localhost linux-2.6.38]# cp config_mini6410_n43 .config
[root@localhost linux-2.6.38]#
[root@localhost linux-2.6.38]# make menuconfig
scripts/kconfig/mconf Kconfig
warning: (PLAT_S3C64XX) selects SAMSUNG_WAKEMASK which has unmet direct dependencies (PLAT_SAMSUNG && PM)
.config - Linux/arm 2.6.38 Kernel Configuration
------------------------------------------------------------------------------
+----------------- Linux/arm 2.6.38 Kernel Configuration -----------------+
| Arrow keys navigate the menu. selects submenus --->. |
| Highlighted letters are hotkeys. Pressing includes, excludes, |
| modularizes features. Press to exit, for Help, |
| for Search. Legend: [*] built-in [ ] excluded module < > |
| +---------------------------------------------------------------------+ |
| | General setup ---> | |
| | [*] Enable loadable module support ---> | |
| | -*- Enable the block layer ---> | |
| | System Type ---> | |
| | Bus support ---> | |
| | Kernel Features ---> | |
| | Boot options ---> | |
| | CPU Power Management ---> | |
| | Floating point emulation ---> | |
| | Userspace binary formats ---> | |
| +----v(+)-------------------------------------------------------------+ |
+-------------------------------------------------------------------------+
| 按照如下操作进行配置:
Step1:在上面的菜单项中,按向下箭头键向下翻!选择“[*] Networking support --->”项,回车进入子菜单项:
+-------------------------- Networking support ---------------------------+
| Arrow keys navigate the menu. selects submenus --->. |
| Highlighted letters are hotkeys. Pressing includes, excludes, |
| modularizes features. Press to exit, for Help, |
| for Search. Legend: [*] built-in [ ] excluded module < > |
| +---------------------------------------------------------------------+ |
| | --- Networking support | |
| | Networking options ---> | |
| | [ ] Amateur Radio support ---> | |
| | < > CAN bus subsystem support ---> | |
| | < > IrDA (infrared) subsystem support ---> | |
| | < > Bluetooth subsystem support ---> | |
| | < > RxRPC session sockets | |
| | [*] Wireless ---> | |
| | < > WiMAX Wireless Broadband support ---> | |
| | < > RF switch subsystem support ---> | |
| +----v(+)-------------------------------------------------------------+ |
+-------------------------------------------------------------------------+
| Step2:在上面的菜单项中,按向下箭头键向下翻!选择“Networking options ---> ”项,回车进入子菜单项:
+-------------------------- Networking options ---------------------------+
| Arrow keys navigate the menu. selects submenus --->. |
| Highlighted letters are hotkeys. Pressing includes, excludes, |
| modularizes features. Press to exit, for Help, |
| for Search. Legend: [*] built-in [ ] excluded module < > |
| +---------------------------------------------------------------------+ |
| | <*> Packet socket | |
| | <*> Unix domain sockets | |
| | < > PF_KEY sockets | |
| | [*] TCP/IP networking | |
| | [ ] IP: multicasting | |
| | [ ] IP: advanced router | |
| | [*] IP: kernel level autoconfiguration | |
| | [*] IP: DHCP support | |
| | [*] IP: BOOTP support | |
| | [*] IP: RARP support | |
| +----v(+)-------------------------------------------------------------+ |
+-------------------------------------------------------------------------+
|
+-------------------------- Networking options ---------------------------+
| Arrow keys navigate the menu. selects submenus --->. |
| Highlighted letters are hotkeys. Pressing includes, excludes, |
| modularizes features. Press to exit, for Help, |
| for Search. Legend: [*] built-in [ ] excluded module < > |
| +----^(-)-------------------------------------------------------------+ |
| | < > INET: socket monitoring interface | |
| | [ ] TCP: advanced congestion control ---> | |
| | [ ] TCP: MD5 Signature Option support (RFC2385) (EXPERIMENTAL) | |
| | < > The IPv6 protocol ---> | |
| | [ ] Security Marking | |
| | [ ] Timestamping in PHY devices | |
| | [ ] Network packet filtering framework (Netfilter) ---> | |
| | < > The DCCP Protocol (EXPERIMENTAL) ---> | |
| | < > The SCTP Protocol (EXPERIMENTAL) ---> | |
| | < > The RDS Protocol (EXPERIMENTAL) | |
| +----v(+)-------------------------------------------------------------+ |
+-------------------------------------------------------------------------+
| Netfilter配置菜单页
+------------ Network packet filtering framework (Netfilter) -------------+
| Arrow keys navigate the menu. selects submenus --->. |
| Highlighted letters are hotkeys. Pressing includes, excludes, |
| modularizes features. Press to exit, for Help, |
| for Search. Legend: [*] built-in [ ] excluded module < > |
| +---------------------------------------------------------------------+ |
| | --- Network packet filtering framework (Netfilter) | |
| | [ ] Network packet filtering debugging (NEW) | |
| | [*] Advanced netfilter configuration (NEW) | |
| | Core Netfilter Configuration ---> | |
| | < > IP virtual server support (NEW) ---> | |
| | IP: Netfilter Configuration ---> | |
| | | |
| | | |
| | | |
| | | |
| +---------------------------------------------------------------------+ |
+-------------------------------------------------------------------------+
| Step4:使用Tab键选择Exit,直到要求保存配置,选择Yes选项确认保存为止!
+----------------------------------------------------------+
| Do you wish to save your new configuration? |
| to continue. |
+----------------------------------------------------------+
| < Yes > < No > |
+----------------------------------------------------------+
注意事项:这里的所有选项一定选为built-in [*],而不能选为Module [M],如果选为Module,重新烧制的系统内核里用modprobe ip_tables 命令将不能找到iptables模块。(为了有备无患,我们这里把Netfilter所有的选项都选上)。上一步还有一点要注意的是IP: Netfilter configuration中的FULL NAT选项 一定要选中,否则将不能使用 iptables -t nat命令。
至此,完成内核相关配置工作!
使用如下操作命令开始编译内核:
[root@localhost linux-2.6.38]# make zImage编译完成后,生成的新内核"zImage"保存在/opt/FriendlyARM/linux/linux2.6.38/arch/arm/boot文件夹下。
三、 交叉编译iptables
Iptables是用户态提供的更改过滤规则的便捷工具,通过使用这个工具,可以方便的改变内核下netfilter的默认规则,也可以根据自己的需求添加自定的规则。
1. 到netfilter官方网站(http://www.netfilter.org/)下载iptables最新源码并解压,编译方法具体可以参考iptables目录下的INSTALL文件;
2. 首先一定要确保当前终端下能识别出arm-linux-gcc命令,接着在/home目录下创建iptables目录,在终端下切换到iptables代码树。运行./configure --prefix=/home/iptables --host=arm-linux配置以生成Makefile文件。
[root@localhost iptables-1.4.9]# ls
aclocal.m4 INCOMPATIBILITIES iptables-apply.8 libiptc.pc.in
autogen.sh INSTALL iptables.c ltmain.sh
COMMIT_NOTES install-sh iptables-multi.c m4
compile ip6tables.8.in iptables-multi.h Makefile.am
config.guess ip6tables.c iptables-restore.8 Makefile.in
config.h.in ip6tables-multi.c iptables-restore.c missing
config.log ip6tables-multi.h iptables-save.8 release.sh
config.sub ip6tables-restore.8 iptables-save.c utils
configure ip6tables-restore.c iptables-standalone.c xshared.c
configure.ac ip6tables-save.8 iptables-xml.8 xshared.h
COPYING ip6tables-save.c iptables-xml.c xtables.c
depcomp ip6tables-standalone.c iptables.xslt xtables.pc.in
extensions iptables.8.in libipq
include iptables-apply libiptc
[root@localhost iptables-1.4.9]# ./configure --prefix=/home/iptables --host=arm-linux3. 进行编译安装
[root@localhost iptables-1.4.9]# make KERNEL_DIR=/opt/FriendlyARM/mini6410/linux/linux-2.6.38
[root@localhost iptables-1.4.9]# make NO.SHARED_LIBS=1
[root@localhost iptables-1.4.9]# make
[root@localhost iptables-1.4.9]# make installlib: libiptc.so.0.0.0,libxtables.so.1.0.0,指向这两个文件的链接libiptc.so.0, libxtables.so.1。
sbin: ip6tables-multi,ip6tables,ip6tables-restore,ip6tables-save,iptables-multi,iptables,iptables-restore,iptables-save。
xtables: libipt_DNAT.so,libipt_SNAT.so,libxt_standard.so(创建链接或者改名为libipt_standard.so),libxt_standard.so(同上libipt_standard.so),libxt_tcp.so(同上libipt_tcp.so),libxt_state(同上libipt_state),…,其他动态库最好也下载到开发板中,以防需要某个匹配选项时提示找不到动态库文件,当出现找不到某个库文件*ipt_*.so的时候,先看看是否存在一个与它相似仅只有中间换成xt的库文件,如果存在将其改成ipt即可,因为其本质是一样的,只是名称不同而已。
5. 将刚刚编译好的iptables打包
切换至/home目录,使用如下操作命令进行压缩:
[root@localhost home]# tar cvf iptables.tar iptables/
四、下载新系统内核和交叉编译好的iptables到开发板
1. 这一步需要在windows下操作,将开发板的串口,USB接口,电源都连接好后,首先安装tools\usb下载驱动\FriendlyARM USB Download Driver Setup_20090421.exe,接着将S2开关拨到SD-BOOT上,打开S1开关,windows提示发现新硬件,按照提示将驱动安装完,这时在设备管理器里的通用串行总线里就能看到FriendlyARM USB,说明驱动安装正确,再打开windows平台工具下的dnw,设置好串口等一些设置后就可以点USB,串口里的连接了,看到com:OK,USB:OK就说明连接正确,如果不能看到BIOS启动界面再次重启,进入BIOS界面后选择k将bzImage烧到板子上即可。
注意:这里要先把FriendlyARM.ini配置文件中的“CheckOneButton=No”一句中的“No”改为“Yes”,dnw的详细说明请参考友善提供的技术手册。
2. 这一步可以通过SD卡传输,也可以通过ftp的方式传输(需事先配置IP等信息)。在此我用ftp方式传输,操作命令如下所示。
[root@localhost home]# ftp 192.168.1.7
Connected to 192.168.1.7 (192.168.1.7).
220 FriendlyARM FTP server (Version 6.4/OpenBSD/Linux-ftpd-0.17) ready.
Name (192.168.1.7:root): plg
331 Password required for plg.
Password:
230 User plg logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put iptables.tar
local: iptables.tar remote: iptables.tar
227 Entering Passive Mode (192,168,1,7,186,163)
150 Opening BINARY mode data connection for 'iptables.tar'.
226 Transfer complete.
2590720 bytes sent in 0.968 secs (2675.37 Kbytes/sec)
ftp> by
221 Goodbye.
[root@localhost home]#
然后,使用超级终端(Windows)切换到/home/plg目录下,进行如下操作:
[root@FriendlyARM /etc]# cd /home/plg
[root@FriendlyARM plg]# ls
iptables.tar
[root@FriendlyARM plg]# tar xzvf iptables.tar命令操作如下所示:
[root@FriendlyARM /etc]# cd /home/plg
[root@FriendlyARM plg]# ls
iptables iptables.tar
[root@FriendlyARM plg]# cd iptables/
[root@FriendlyARM iptables]# ls
bin include lib libexec sbin share
[root@FriendlyARM iptables]# cd lib
[root@FriendlyARM lib]# cp * /lib -r
[root@FriendlyARM lib]# cd ../sbin
[root@FriendlyARM sbin]# cp * /sbin -r
[root@FriendlyARM sbin]# iptables -v
iptables v1.4.9: no command specified
Try `iptables -h' or 'iptables --help' for more information.
[root@FriendlyARM sbin]#备注:
a. 当使用目标操作(如-j ACCEPT时)提示找不到libipt_standard.so库文件,这时可以将../libexec/xtables/目录下的libxt_standard.so重命名为libipt_standard.so,这两个库文件从本质上讲是一样的;
b. 运行iptables命令 发现错误iptables: error while loading shared libraries: libiptc.so.0: cannot open shared object file: No such file or directory 原因是缺少libiptc.so.0动态库文件,从lib目录中可以找到,并找到libxtables.so.1将这两个动态库文件下载到板子的/lib下;
c. 这些动态库是在用 iptables的一些选项时调用的。如libipt_SNAT.so,libipt_DNAT.so 支持 “--to”、“-j SNAT”和 “-j DNAT”选项,libipt_tcp.so支持“-- dport”选项。如果用到其他命令选项,自行查找是哪个动态库支持,将其下载到开发板的/home/plg/iptables/libexec/xtables目录;
d. 执行iptables -L 命令,执行成功。但是当添加规则“iptables -A INPUT -t tcp --dport 80 -j ACCEPT”时提示找不到libipt_standard.so文件。而这个文件在编译生成的动态库中是没有的,只有一个“libxt_standard.so”。其实这两个库是一样的。重命名libxt_standard.so为 libipt_standard.so,将其下载到/usr/local/libexec/xtables。
【声明】
本文部分内容摘自网络和友善之臂技术手册,其他相关资料参考链接: http://blog.csdn.net/luyesy/article/details/6412908、 http://blog.csdn.net/hanzengyi/archive/2010/11/06/5991917.aspx
如需转载本文请注明出处: http://blog.csdn.net/shuxiao9058/article/details/6923517