l3dsr icon indicating copy to clipboard operation
l3dsr copied to clipboard
verified publisher icon yahoo

About rpm for CentOS 8

Open kohga opened this issue 6 years ago • 2 comments

Hello, We are using this l3dsr as RPM-based distros. However, this spec file does not support centos8.

iptables-daddr.spec

Are there plans to support centos8 soon? I tried to edit spec file so that the build succeeded forcibly.

# diff ~/build/l3dsr/linux/rpm/iptables-daddr.spec iptables-daddr.spec
14a15,17
>     %if "%{dist}" == ".el8"
>       %define rhel_version 700
>     %endif
109,110c112,113
< BuildRequires: iptables-devel >= 1.4.7, iptables-devel < 1.5
< Requires: iptables >= 1.4.7, iptables < 1.5
---
> BuildRequires: iptables-devel >= 1.4.7, iptables-devel < 1.9
> Requires: iptables >= 1.4.7, iptables < 1.9

After installing this rpm package and doing a simple test, it looks like it works as shown below.

# iptables -t mangle -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A PREROUTING -m dscp --dscp 0x0a -j DADDR --set-daddr 1.1.1.1 <---------------------------- vip set with iptables
 
# nft list table ip mangle
table ip mangle {
        chain PREROUTING {
                type filter hook prerouting priority -150; policy accept;
                ip dscp 0x0a counter packets 25 bytes 2100 # DADDR set 1.1.1.1 <----------- Settings converted to nftables
        }
 
        chain INPUT {
                type filter hook input priority -150; policy accept;
        }
 
        chain FORWARD {
                type filter hook forward priority -150; policy accept;
        }
 
        chain OUTPUT {
                type route hook output priority -150; policy accept;
        }
 
        chain POSTROUTING {
                type filter hook postrouting priority -150; policy accept;
        }
}
  • tcpdump A ping with ToS is received and the sendding is VIP (1.1.1.1) as SrcIP
# tcpdump -ni eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:22:22.174193 IP XX.XX.XX.XX > YY.YY.YY.YY: ICMP echo request, id 31130, seq 1, length 64
17:22:22.174232 IP 1.1.1.1 > XX.XX.XX.XX: ICMP echo reply, id 31130, seq 1, length 64
17:22:23.174028 IP XX.XX.XX.XX > YY.YY.YY.YY: ICMP echo request, id 31130, seq 2, length 64
17:22:23.174066 IP 1.1.1.1 > XX.XX.XX.XX: ICMP echo reply, id 31130, seq 2, length 64
17:22:24.174083 IP XX.XX.XX.XX > YY.YY.YY.YY: ICMP echo request, id 31130, seq 3, length 64
17:22:24.174127 IP 1.1.1.1 > XX.XX.XX.XX: ICMP echo reply, id 31130, seq 3, length 64
  • iptables counter VIP (1.1.1.1) is set when it matches ToS value Rule
# iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   33  2772 DADDR      all  --  any    any     anywhere             anywhere             DSCP match 0x0a DADDR set 1.1.1.1

It seems to work for the time being.

kohga avatar Dec 09 '19 09:12 kohga

My internal version of iptables.spec file was pretty much gutted with dropping RHEL 4, RHEL 5, and RHEL 6.3 and before, with RHEL 8 support too, all added back in March 2019. Some lines you referenced no longer exist. Your modification to Requires: line though exactly match what I had done. I apologize for not getting my newer, internal work out on github before now. I'll see if I can get it published here in the next few weeks.

qbarnes avatar Dec 09 '19 15:12 qbarnes

Have you had a chance to try iptables.spec that's on the beta branch for your RHEL 8 use case yet?

qbarnes avatar Jun 11 '20 13:06 qbarnes