add iptables support

2024-10-06 04:03:50 +08:00 · 2022-10-27 21:06:23 +08:00 · 2022-10-27 21:06:23 +08:00 · 15374080d6
commit 15374080d6
parent 089ef059e1
3 changed files with 190 additions and 98 deletions
--- a/01_build_src.sh
+++ b/01_build_src.sh
@ -25,6 +25,9 @@ STRACE_SRC_URL=https://github.com/strace/strace/releases/download/v5.19/strace-5
 PCIUTILS_SRC_URL=http://mj.ucw.cz/download/linux/pci/pciutils-3.8.0.tar.gz
 OPENSSL_SRC_URL=https://www.openssl.org/source/openssl-1.1.1q.tar.gz
 OPENSSH_SRC_URL=https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz
+LIBMNL_SRC_URL=https://netfilter.org/projects/libmnl/files/libmnl-1.0.5.tar.bz2
+LIBNFTNL_SRC_URL=https://netfilter.org/projects/libnftnl/files/libnftnl-1.2.3.tar.bz2
+IPTABLES_SRC_URL=https://www.netfilter.org/projects/iptables/files/iptables-1.8.8.tar.bz2
 #GCC_SRC_URL=https://ftpmirror.gnu.org/gcc/gcc-7.5.0/gcc-7.5.0.tar.xz
 GCC_SRC_URL=https://mirrors.ustc.edu.cn/gnu/gcc/gcc-7.5.0/gcc-7.5.0.tar.xz
 #BINUTILS_SRC_URL=https://ftp.gnu.org/gnu/binutils/binutils-2.36.tar.xz
@ -46,6 +49,9 @@ STRACE_SRC_NAME=$(download_src ${STRACE_SRC_URL})
 PCIUTILS_SRC_NAME=$(download_src ${PCIUTILS_SRC_URL})
 OPENSSL_SRC_NAME=$(download_src ${OPENSSL_SRC_URL})
 OPENSSH_SRC_NAME=$(download_src ${OPENSSH_SRC_URL})
+LIBMNL_SRC_NAME=$(download_src ${LIBMNL_SRC_URL})
+LIBNFTNL_SRC_NAME=$(download_src ${LIBNFTNL_SRC_URL})
+IPTABLES_SRC_NAME=$(download_src ${IPTABLES_SRC_URL})
 GCC_SRC_NAME=$(download_src ${GCC_SRC_URL})
 BINUTILS_SRC_NAME=$(download_src ${BINUTILS_SRC_URL})
 cd ..
@ -65,6 +71,9 @@ STRACE_SRC_DIR=$(unzip_src ".tar.xz" ${STRACE_SRC_NAME}); echo "unzip ${STRACE_S
 PCIUTILS_SRC_DIR=$(unzip_src ".tar.gz" ${PCIUTILS_SRC_NAME}); echo "unzip ${PCIUTILS_SRC_NAME} source code"
 OPENSSL_SRC_DIR=$(unzip_src ".tar.gz" ${OPENSSL_SRC_NAME}); echo "unzip ${OPENSSL_SRC_NAME} source code"
 OPENSSH_SRC_DIR=$(unzip_src ".tar.gz" ${OPENSSH_SRC_NAME}); echo "unzip ${OPENSSH_SRC_NAME} source code"
+LIBMNL_SRC_DIR=$(unzip_src ".tar.bz2" ${LIBMNL_SRC_NAME}); echo "unzip ${LIBMNL_SRC_NAME} source code"
+LIBNFTNL_SRC_DIR=$(unzip_src ".tar.bz2" ${LIBNFTNL_SRC_NAME}); echo "unzip ${LIBNFTNL_SRC_NAME} source code"
+IPTABLES_SRC_DIR=$(unzip_src ".tar.bz2" ${IPTABLES_SRC_NAME}); echo "unzip ${IPTABLES_SRC_NAME} source code"
 GCC_SRC_DIR=$(unzip_src ".tar.xz" ${GCC_SRC_NAME}); echo "unzip ${GCC_SRC_NAME} source code"
 BINUTILS_SRC_DIR=$(unzip_src ".tar.xz" ${BINUTILS_SRC_NAME}); echo "unzip ${BINUTILS_SRC_NAME} source code"

@ -320,6 +329,10 @@ if [ ! -d "busybox_install" ]; then
  cd ..
 fi

+#------------------------------------------------------------------
+# 编译通用工具
+#------------------------------------------------------------------
+if [ "${with_util}" = true ]; then
  # 编译 lshw ( 调试方便 )
  if [ ! -d "lshw_install" ]; then
    mkdir -pv lshw_install && cd ${LSHW_SRC_DIR}
@ -349,7 +362,12 @@ if [ ! -d "strace_install" ]; then
    CFLAGS="-L${glibc_install}/lib64 $CFLAGS" make -j8 && make install -j8 DESTDIR=${strace_install} PREFIX=/usr || exit
    cd ..
  fi
+fi

+#------------------------------------------------------------------
+# 编译 openssh
+#------------------------------------------------------------------
+if [ "${with_ssh}" = true ]; then
  # 编译 openssl
  if [ ! -d "openssl_install" ]; then
    mkdir -pv openssl_install && cd ${OPENSSL_SRC_DIR}
@ -385,7 +403,49 @@ if [ ! -d "openssh_install" ]; then
    fi
    cd ..
  fi
+fi

+#------------------------------------------------------------------
+# 编译防火墙
+#------------------------------------------------------------------
+if [ "${with_ufw}" = true ]; then
+  ufw_include=" \
+    -I${libmnl_install}/usr/include \
+    -I${libnftnl_install}/usr/include"
+
+  ufw_library=" \
+    -L${libmnl_install}/usr/lib -lmnl \
+    -L${libnftnl_install}/usr/lib -lnftnl"
+
+  # 编译 libmnl
+  if [ ! -d "libmnl_install" ]; then
+    mkdir -pv libmnl_install && cd ${LIBMNL_SRC_DIR}
+    ./configure --prefix=/usr
+    CFLAGS="-L${glibc_install}/lib64 $CFLAGS" make -j8 && make install -j8 DESTDIR=${libmnl_install} PREFIX=/usr || exit
+    cd ..
+  fi
+
+  # 编译 libnftnl
+  if [ ! -d "libnftnl_install" ]; then
+    mkdir -pv libnftnl_install && cd ${LIBNFTNL_SRC_DIR}
+    CFLAGS="${ufw_include} ${ufw_library} $CFLAGS" ./configure --prefix=/usr
+    CFLAGS="-L${glibc_install}/lib64 $CFLAGS" make -j8 && make install -j8 DESTDIR=${libnftnl_install} PREFIX=/usr || exit
+    cd ..
+  fi
+
+  # 编译 iptables ( 需要 libmnl, libnftnl )
+  if [ ! -d "iptables_install" ]; then
+    mkdir -pv iptables_install && cd ${IPTABLES_SRC_DIR}
+    CFLAGS="${ufw_include} ${ufw_library} $CFLAGS" ./configure --prefix=/usr
+    CFLAGS="-L${glibc_install}/lib64 $CFLAGS" make -j8 && make install -j8 DESTDIR=${iptables_install} PREFIX=/usr || exit
+    cd ..
+  fi
+fi
+
+#------------------------------------------------------------------
+# 编译 gcc ( xfce 需要开启这个 )
+#------------------------------------------------------------------
+if [ "${with_gcc}" = true ]; then
  # 编译 gcc
  if [ ! -d "gcc_install" ]; then
    mkdir -pv gcc_install && cd ${GCC_SRC_DIR}
@ -404,11 +464,12 @@ if [ ! -d "binutils_install" ]; then
    CFLAGS="-L${glibc_install}/lib64 $CFLAGS" make -j8 && make install -j8 DESTDIR=${binutils_install} || exit
    cd ..
  fi
+fi

 cd ..

-# 编译 xfce [ no same time with xorg ]
-if [ "${with_xfce}" = true ]; then
+# 编译 xfce ( 需要 gcc 的支持 )
+if [ "${with_xfce}" = true ] && [ "${with_gcc}" = true ]; then
  ./mk_xfce.sh img
 fi

--- a/02_build_img.sh
+++ b/02_build_img.sh
@ -225,29 +225,44 @@ cd ..
 echo "${CYAN}--- build diskfs ---${NC}"
 cp rootfs/* ${diskfs} -r

+# +++ 通用工具 +++
+if [ "${with_util}" = true ]; then
+  echo "${RED} ... build with-util${NC}"
  # 单独的 lshw
  cp ${lshw_install}/* ${diskfs} -r
-
  # 单独的 lsof
  cp ${lsof_install}/* ${diskfs} -r
-
  # 单独的 pciutils
  cp ${pciutils_install}/* ${diskfs} -r
  if [ -f "${diskfs}/usr/share/pci.ids.gz" ]; then
    mkdir -pv ${diskfs}/usr/local/share
    mv ${diskfs}/usr/share/pci.ids.gz ${diskfs}/usr/local/share/pci.ids.gz
  fi
-
  # 单独的 strace
  cp ${strace_install}/* ${diskfs} -r
+fi

+# +++ ufw +++
+if [ "${with_ufw}" = true ]; then
+  echo "${RED} ... build with-ufw${NC}"
+  # 拷贝 libmnl
+  cp ${libmnl_install}/* ${diskfs} -r
+  # 拷贝 libnftnl
+  cp ${libnftnl_install}/* ${diskfs} -r
+  # 拷贝 iptables
+  cp ${iptables_install}/* ${diskfs} -r
+fi
+
+# +++ openssh +++
+if [ "${with_ssh}" = true ]; then
+  echo "${RED} ... build with-ssh${NC}"
  # 带有 openssl
  cp ${openssl_install}/* ${diskfs} -r
-
  # 带有 openssh
  cp ${openssh_install}/* ${diskfs} -r
+fi

-# 带有 gcc 编译器
+# +++ gcc +++
 if [ "${with_gcc}" = true ]; then
  echo "${RED} ... build with-gcc${NC}"
  cp ${gcc_install}/* ${diskfs} -r
@ -261,7 +276,7 @@ if [ "${with_login}" = true ]; then
  ./mk_login.sh ${diskfs}
 fi

-# 带有 xfce 编译器
+# +++ xfce desktop +++
 if [ "${with_xfce}" = true ]; then
  echo "${RED} ... build xfce desktop${NC}"
  # 构建 Xorg 的键盘数据
@ -320,7 +335,11 @@ if [ "${with_xfce}" = true ]; then

  # 这些本来需要编译完成，目前暂且拷贝
  # cp /usr/lib/x86_64-linux-gnu/libLLVM-10.so.1 build/xfce_install/usr/lib/x86_64-linux-gnu/
-  # 拷贝 xfce4 到镜像目录
+
+  # 拷贝 xfce4 到镜像目录，删除 .a 文件减少体积，其实编译选型不编译文档和测试代码会更小
+  find ${xfce_install}/ -name "*.a" -exec rm -rf {} \;
+  find ${xfce_install}/ -name "man" -exec rm -rf {} \;
+  find ${xfce_install}/ -name "*doc" -exec rm -rf {} \;
  cp ${xfce_install}/* ${diskfs} -r -n

  # 删除冗余文件，防止后续编译很多警告
--- a/common.sh
+++ b/common.sh
@ -18,10 +18,19 @@ NC='\e[0m' # 没有颜色
 # 处理器
 core_num=`nproc`

+# 是否开启 ssh
+with_ssh=true
+
+# 是否开启 ufw
+with_ufw=true
+
 # 是否开启 gcc
 with_gcc=true

-# 是否开启 xfce
+# 是否带有工具
+with_util=true
+
+# 是否开启 xfce ( 需要开启 gcc )
 with_xfce=true

 # 是否挂载第二块硬盘
@ -43,6 +52,9 @@ strace_install=${build_dir}"/strace_install"
 pciutils_install=${build_dir}"/pciutils_install"
 openssl_install=${build_dir}"/openssl_install"
 openssh_install=${build_dir}"/openssh_install"
+libmnl_install=${build_dir}"/libmnl_install"
+libnftnl_install=${build_dir}"/libnftnl_install"
+iptables_install=${build_dir}"/iptables_install"
 gcc_install=${build_dir}"/gcc_install"
 binutils_install=${build_dir}"/binutils_install"
 xorg_install=${build_dir}"/xorg_install"