« Back to Technical Questions

RE: Building the iptables kernel modules

Combination View Flat View Tree View
Threads [ Previous | Next ]
Post New Thread
Building the iptables kernel modules
kernel module lkm iptables
Answer
6/1/10 5:15 PM
Hi All,
 
I'm working on an application which needs stateless source and destination nat. The source and destination target addresses depend on the diffserv value. I'm looking at iptables to implement this. I already took the following steps:
 
1. Downloaded and compiled the axp-lkm-sdk (according the instructions in the 'AXP Advance Feature Guide' )
 
2. Downloaded iptables and compiled it using the axp kernel
 
3. Bundled the iptables files and installed it on the axp
 
4. I requested and got kernel permission in my auth_bundle.sig file
 
5. Modified my sys_cap file to load the cisco provided iptable modules
    (ip_tables.ko / iptable_filter.ko / iptable_mangle.ko / ip_queue)
 
6. Now I can install iptables rules, but can't use any nat instruction.
    If I try, I get the following error:

       iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
       Perhaps iptables or your kernel needs to be upgraded.
 
7. As a possible alternative I did some performance tests using the -j QUEUE target to send packets to my own user process.
    This is working but way to slow (about 3000 pps max). I can increase the CPU index, but I think the kernel space is much faster.
 
So I really need the performance of the kernel modules to handle the nat operation. Unfortunately Cisco didn't provide the 'iptable_raw.ko' and the 'iptable_nat.ko' in there lkm support.
 
So I guess I have to build them myself.
 
Can anyone provide me with some instructions, how to build these kernel modules?
 
Regards
Hielke
Flag

RE: Building the iptables kernel modules
Answer
6/1/10 11:41 PM as a reply to Hielke Hagendoorn.
Assuming you are using the AXP 1.5.2 LKM, this sdk will create many kernel modules for you by default.  I have provided the steps to create these modules below.  If your desired kernel module is not created, then modify the appropriate settings in the image/kernel<version>/linux/.config file.  I've provided the links showing the M setting requirements for iptable_raw.ko and iptable_nat.ko here:  http://cateee.net/lkddb/web-lkddb/IP_NF_RAW.html , http://cateee.net/lkddb/web-lkddb/NF_NAT.html .   You should also check the dependency requirements of your kernel module via 'modinfo <kernel module>' to make sure the module can be inserted- additional modules may be required.   Finally you can check which modules have been inserted via 'lsmod'.
 
Using the LKM.
1.  type 'make cleantools'
2.  type 'make tools'
3.  cd image/kernel <version>/linux.
4.  modify the .config file for kernel module creation.
5. access <lkm dir>/gplcore/kernel <version>
6. type 'make modules'
7. access <lkm dir>/image/kernel <version>/linux
8. Search for modules via  'find . -name "*.ko" '
 
Thanks,
 
Brett
Flag

RE: Building the iptables kernel modules
Answer
6/2/10 4:22 PM as a reply to Brett Tiller.
Hi Brett,
 
Thanks for your answer.
 
I'm using SDK 1.1.7 and can't upgrade
because I still have the AIM-APPRE-102-K9 hardware

 
I edited the .config file but can't issue
the 'make modules' command
 
                [cisco@localhostkernel-2.6.14.3]$ make modules
                make:*** No rule to make target `modules'. Stop.
 
I tried just running 'make' after editing the .config file but this doesn't seem to produce the .ko files.
Is there a specific 1.1.7 methode to build the ko files?

Regards
Hielke
Flag

RE: Building the iptables kernel modules
Answer
6/15/10 6:58 AM as a reply to Hielke Hagendoorn.
Hi Hielke,
 
Sorry for taking so long to get back to you  - I was on pto.
 
Since you are using an older version of the AXP LKM and the AIM card there is a different set of steps to follow.  I've provided them below.
 
1.  In the axp-lkm-sdk.1.1.7 directory edit the Makecurrent.inc file.  Change the active platform to what I show below.  Save and exit.
             PLATFORM = nm+aim
             #PLATFORM = bryce
 
2.  Now type 'make' .  The system will recompile.
 
3.  Access ./gplCore/kernel-2.6.14.3/ .   Edit the dotconfig-regular-i386-nm+aim  file and specify the proper module parameters.  In short under the IP NetFilter Configuration add/edit the text below to create the nat, conntrack and raw kernel modules.  Save and exit.
     CONFIG_IP_NF_ADVANCED=m
     CONFIG_IP_NF_CONNTRACK=m
     CONFIG_IP_NF_RAW=m
     CONFIG_IP_NF_NAT=m
     CONFIG_IP_NF_IPTABLES=m

4.  type 'make all'
 
5.  Finally type 'find . -name "*.ko" and you should see the newly created modules.
 
Thanks,
 
Brett
Flag

RE: Building the iptables kernel modules
Answer
6/15/10 7:54 PM as a reply to Brett Tiller.
It's working now! Great thanks for your help
 
Regards
Hielke
Flag

RE: Building the iptables kernel modules
Answer
6/16/10 12:31 AM as a reply to Brett Tiller.
is this method applicable to enable ipv6 on axp? A previous post by the PM stated it was not possilbe in AXP at this time. Could this method be used to enable all ipv6 LKM's? or has some of the core source been edited out to prevent IPv6 processing?
 
I tried the 1.5.2 process to enable IPv6 paramters but it clears the IPV6 config parameters at module build time.
 
-J
Flag

RE: Building the iptables kernel modules
Answer
6/16/10 1:51 AM as a reply to Jacek Materna.
IPv6 support is under consideration, but currently the AXP kernel and virtual server does not support this protocol.  As a result creating LKM IPv6 modules will not add this support.
 
Brett
Flag

RE: Building the iptables kernel modules
Answer
6/16/10 2:42 AM as a reply to Brett Tiller.
thats seemed to be inline with what I thought,. thanks for the confirmation.
Flag