Package for OpenWRT

[petonagy]

I would like to ask...are you planing to port (make package) for openWRT?

Thanks for the answer.

[aabc]

I'm only providing sources.

[AndrewMargarit]

Did anyone compiled this for openwrt?

[alex-eri]

@AndrewMargarit i do

[richb-hanover]

@alex-eri Would you consider creating an outline of instructions for installing ipt-netflow in OpenWrt and/or LEDE? If so, I would write it up and get onto those web sites so that others can use it. Many thanks!

[alex-eri]

@richb-hanover , just copy contens of ipt-netflow/openwrt folder to ${openwrt build root}/packages/ipt-netflow/ . It will appear in menu. Make as usual.

[ZackMattor]

@alex-eri It seems that it cannot find iptables.h... Any idea on how to solve this? I'll keep playing with it.

Checking for presence of include/linux/llist.h... Yes
Checking for presence of include/linux/grsecurity.h... No
Iptables binary version: 1.6.0 (detected from /sbin/iptables)
pkg-config for version 1.6.0 exists: No (reported: 1.4.21)
Checking for presence of xtables.h... No
Checking for presence of iptables.h... No
! Iptables headers not found. You may need to specify --ipt-inc=...
!
! Under Debian simply run this:
!   root# apt-get install iptables-dev pkg-config```

[ZackMattor]

Scratch that... I got it working I believe, but i need to install iptables-dev onto the base system... Do you know if there's an easy way to have the makefile pull those dependencies? I might need to create a iptables-dev openwrt package....

[alex-eri]

I will make firmware for tplink today. Tests and more instructions tomorow. You need patch Makefile for using crosscompiler or use devel brunch. Included patch tested only with Dest.Driver (openwrt trunk)

[ZackMattor]

@alex-eri I have it built and seems to be installed on the firmware. I'm trying to configure iptables to forward traffic to the module but i'm getting this error.

root@OpenWrt:~# iptables -I FORWARD -j NETFLOW
iptables v1.4.21: Couldn't load target `NETFLOW':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

[ZackMattor]

It shows up under lsmod and shows up under x_tables, should it be under ip_tables?

root@OpenWrt:/# lsmod | grep ipt
ip_tables               9325  4 iptable_nat,iptable_raw,iptable_mangle,iptable_filter
ipt_MASQUERADE           688  1
ipt_NETFLOW            42436  0
ipt_REJECT               944  2
iptable_filter           720  1
iptable_mangle           944  1
iptable_nat              784  1
iptable_raw              688  0
nf_nat_ipv4             3697  1 iptable_nat
nf_nat_masquerade_ipv4    1436  1 ipt_MASQUERADE
nf_reject_ipv4          2179  1 ipt_REJECT
x_tables               11527 26 ipt_REJECT,ipt_MASQUERADE,xt_time,xt_tcpudp,xt_state,xt_nat,xt_multiport,xt_mark,xt_mac,xt_limit,xt_conntrack,xt_comment,xt_TCPMSS,xt_REDIRECT,xt_LOG,xt_CT,iptable_raw,iptable_mangle,iptable_filter,ipt_NETFLOW,ip_tables,ip6t_REJECT,ip6table_raw,ip6table_mangle,ip6table_filter,ip6_tables

[ZackMattor]

Think this could be because i compiled using system iptables-dev?

[aabc]

It shows up under lsmod and shows up under x_tables, should it be under ip_tables?

You also need libipt_NETFLOW.so library for iptables tool somewhere where it's configured on your system. You can configure proper location supplying --ipt-lib= option to configure.

Look where other targets are located, for example libipt_REJECT.so.

[alex-eri]

@ZackMattor. Buildig example on clean Debian chroot https://github.com/alex-eri/ipt-netflow/blob/openwrt-makefile/openwrt/Readme.md

/usr/lib/iptables/libipt_NETFLOW.so in iptables-mod-netflow_2.2-2_ar71xx.ipk Other modules is here.

There is no libipt_REJECT.so - only .ko

I built module, but have no exported flows.

# cat /proc/net/stat/ipt_netflow
ipt_NETFLOW 2.2, srcversion (null); llist mac
Protocol version 5 (netflow)
Timeouts: active 1800s, inactive 15s. Maxflows 2000000
Flows: active 57 (peak 1038 reached 0d0h20m ago), mem 65K, worker delay 10/100 [1..10] (10 ms, 0 us, 47:0 0 [cpu0]).
Hash: size 15055 (mem 58K), metric 1.00 [1.00, 1.00, 1.00]. InHash: 1851 pkt, 56011 K, InPDU 10, 345736.
Rate: 2216752 bits/sec, 8 packets/sec; Avg 1 min: 1277071 bps, 2 pps; 5 min: 1422531 bps, 2 pps
cpu#     pps; <search found new [metric], trunc frag alloc maxflows>, traffic: <pkt, bytes>, drop: <pkt, bytes>
Total      8;    236   4246  17335 [1.01],    0    0    0    0, traffic: 21581, 899 MB, drop: 0, 0 K
Export: Rate 366 bytes/s; Total 576 pkts, 0 MB, 17268 flows; Errors 0 pkts; Traffic lost 0 pkts, 0 Kbytes, 0 flows.
sock0: 192.168.236.34:2055, sndbuf 1, filled 0, peak 0; err: sndbuf reached 0, connect 0, cberr 0, other 0

[ZackMattor]

@alex-eri It seems to have installed my libipt_NETFLOW.so to /lib/xtables/libipt_NETFLOW.so. Does yours really end up in /usr/lib/iptables/libipt_NETFLOW.so?

[ZackMattor]

@alex-eri How did you get ipt-netflow to find iptables.h?

[alex-eri]

@ZackMattor see https://github.com/alex-eri/ipt-netflow/blob/openwrt-makefile/openwrt/Readme.md openwrt builder finds iptables. Try build in this way. Openwrt trunk finds its own iptables without problem. Just i build CC (15.05.1).

What is target device? What versions of OpenWRT, your host OS?

I am on ArchLinux and it has problems with crosscompiling kernel. So I use chroot.

[richb-hanover]

Hi folks,

Thanks for all this effort on the ipt-netflow package for OpenWrt.

Is there any chance that you'd have time to look at a package for LEDE? It's an offshoot of OpenWrt, but with heavily updated kernel (4.4.47) and modern libraries, with many network performance enhancements, but the same packaging architecture.

Their first stable build (17.01) will come out this month. Read more at www.lede-project.org or the get the Release Notes Thanks!

[alex-eri]

@richb-hanover it is openwrt fork. You can build it as for openwrt. https://github.com/alex-eri/ipt-netflow/blob/openwrt-makefile/openwrt/Readme.md

[richb-hanover]

@alex-eri Thanks for the note.

I don't have the chops, or the time to build it myself. But your link to those instructions should make it possible for a developer to add it to the standard package set for LEDE.

Once it's there, I promise to write simplified instructions for LEDE that let people see who's hogging their bandwidth :-) Thanks again.

[alex-eri]

@richb-hanover You need to create "feed" and push it to developers of LEDE to make packages with rest of system.

[ZackMattor]

@alex-eri Debian, OpenWrt Master Trunk, TP-LINK Archer c7

Followed your instructions, and it still cant find iptables...

Checking for presence of xtables.h... No
Checking for presence of iptables.h... No
! Iptables headers not found. You may need to specify --ipt-inc=...
!
! Under Debian simply run this:
!   root# apt-get install iptables-dev pkg-config

[ZackMattor]

DOH! I was using v2.2 I believe... trying again.

[alex-eri]

I get reproduced this! Will fix

[ZackMattor]

@alex-eri Alright, I got it working by manually copying my libipt_NETFLOW.so to /usr/lib/iptables/... very cool! I still think we should fix the Makefile so it can build properly using the openwrt build tooling. If you need any help with that let me know!

Also.. I see that you opened a new issue regarding exporting to a collector. It seems to be working 100% for me using protocol v9. I think i built this version using the ipt-netflow v2.2 trunk w/ the cross compile patches... so it might be a problem on master.

[AlexandraDrobut]

Hi, I encountered as well the problem but the solution proposed by ZackMattor solved it. Thank you

[DocMAX]

to resolve the xtables / iptables issue add this to makefile: CONFIGURE_ARGS+=--ipt-lib=/usr/lib/iptables