Key Pages: [ Rope Home Page | Basics (tutorial) | Language Reference | Download ]

Manual Installation Of IpTables Rope.

Please Note..

These notes refer to versions of Rope release before 23/Dec/2005 only. For later versions, please refer to Building.
VERSIONS OF ROPE BEFORE 20051223 WORK WITH THE 2.4.x RANGE OF LINUX KERNELS ONLY. IT HAS BEEN DEVELOPED AND TESTED ON VERSIONS 2.4.20 THROUGH 2.4.29. Support for Linux 2.6 is available in versions since 23/Dec/2005 - see Building.
If you are interested in using "rope" but are not comfortable with compiling your own linux kernel, I am happy to do the work for you for a small fee.

These notes were taken when going through the process of manual installation on a RedHat 8.0 development machine. This is not the way install will be ultimately (we will use the "proper" iptables POM patching logic), but it allows you to get the software installed and running before the "real" installation logic is ready.

Getting Ready

Get a vanilla linux kernel and kernel-source package and install (I am using RedHat 8.0, kernel 2.4.20-28.8 for this).
Download the current version of the Rope sources. Note that these are currently changing frequently - so revist the site often.

Patching The Linux Kernel

The following edits need to be made in the kernel tree (probably something like /usr/src/linux-2.4)...

net/ipv4/netfilter/Config.in (versions before 20050101)

For versions of the software with versions before January 1st, 2005 ..

Add a line referring to ROPE in the same style as, and after the line referring to LENGTH. The best way is to duplicate the original LENGTH line, and then replace the two instances of the word "LENGTH" in it with "ROPE". The new line and it's neighbours look something like this (depending on what other modules you have got installed)..

dep_tristate '  AH/ESP match support' CONFIG_IP_NF_MATCH_AH_ESP $CONFIG_IP_NF_IPTABLES
dep_tristate '  LENGTH match support' CONFIG_IP_NF_MATCH_LENGTH $CONFIG_IP_NF_IPTABLES
dep_tristate '  ROPE match support' CONFIG_IP_NF_MATCH_ROPE $CONFIG_IP_NF_IPTABLES
dep_tristate '  TTL match support' CONFIG_IP_NF_MATCH_TTL $CONFIG_IP_NF_IPTABLES

net/ipv4/netfilter/Config.in (versions after 20050101)

For versions of the software with a date later than January 1st, 2005 ..

Copy the contents of the file Config.in.fragment into the Config.in file after the line referring to LENGTH. The new lines and their neighbours look something like this (depending on what other modules you have installed, and the version of Rope you are using)..

dep_tristate '  AH/ESP match support' CONFIG_IP_NF_MATCH_AH_ESP $CONFIG_IP_NF_IPTABLES
dep_tristate '  LENGTH match support' CONFIG_IP_NF_MATCH_LENGTH $CONFIG_IP_NF_IPTABLES

dep_tristate '  Rope match support (EXPERIMENTAL)' CONFIG_IP_NF_MATCH_ROPE $CONFIG_IP_NF_IPTABLES
if [ "$CONFIG_IP_NF_MATCH_ROPE" != "n" ]; then
 int '  ROPE: Number of global registers' CONFIG_ROPE_NUM_GREGS 20
 int '  ROPE: Number of scripts' CONFIG_ROPE_NUM_SCRIPTS 50
 int '  ROPE: Stack size (number of items)' CONFIG_ROPE_STACK_SIZE 20
 int '  ROPE: Jotter size (bytes)' CONFIG_ROPE_JOTTER_SIZE 2048
 int '  ROPE: Max actions per script execution ($max_actions)' CONFIG_ROPE_MAX_ACTIONS 1000
 int '  ROPE: Default max iterations per "while" loop' CONFIG_ROPE_MAX_WHILE_LOOPS 100
 int '  ROPE: Default max iterations per "repeat" loop' CONFIG_ROPE_MAX_REPEAT_LOOPS 100
 int '  ROPE: Max "expect_one" blocks' CONFIG_ROPE_MAX_EXPECT_ONE_BLOCKS 30
 int '  ROPE: Max IPSets that can be referred to' CONFIG_ROPE_NUM_IPSETS 20
fi

dep_tristate '  TTL match support' CONFIG_IP_NF_MATCH_TTL $CONFIG_IP_NF_IPTABLES

net/ipv4/netfilter/Makefile

Add a line referring to "rope" in the same style as, and after the line referring to "length". The easiest way do this is just to copy the "LENGTH" line and replace "LENGTH" with "ROPE" and "length" with "rope". The new line and it's neighbours look something like this (depending on what other modules you have installed)..

obj-$(CONFIG_IP_NF_MATCH_DSCP) += ipt_dscp.o
obj-$(CONFIG_IP_NF_MATCH_AH_ESP) += ipt_ah.o ipt_esp.o

obj-$(CONFIG_IP_NF_MATCH_LENGTH) += ipt_length.o
obj-$(CONFIG_IP_NF_MATCH_ROPE) += ipt_rope.o

obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o

Add (copy) the following files to the kernel source tree (note that some files are only relevant to certain versions of the Rope software) ..

File name	Target Directory	Versions
ipt_rope.c	net/ipv4/netfilter	All
rope.c	net/ipv4/netfilter	All
rope.h	net/ipv4/netfilter	All
rope-dispatch.h	net/ipv4/netfilter	All
rope-enum.h	net/ipv4/netfilter	only if present in release
rope-util.h	net/ipv4/netfilter	only if present in release
ipt_rope.h	include/linux/netfilter_ipv4	only if present in release

In versions without a "ipt_rope.h" file, create an empty include/linux/netfilter_ipv4/ipt_rope.h using the command:

touch include/linux/netfilter_ipv4/ipt_rope.h

By the way - I know that a couple of the .h files are in the wrong place here - I'll sort this out soon.

Finally: edit the main Makefile to give EXTRAVERSION some unique string (maybe: "-Rope" would do it).

Building The Kernel

It might be a good idea to run "make distclean" in the kernel source tree before starting out [up to you!].
Copy the relevant config file from /boot into linux-2.4/.config.
Run "make menuconfig"
- find the ROPE option and turn it on. You'll find this under: Networking options - IP Netfilter Configuration
- Check the tuning parameters available for ROPE in the "make menuconfig" screen and edit them, if you like.
- Consider enabling some other iptable features that enhance ROPE's features, namely...
  - Conntrack
  - IPSets (may need kernel patch)
  - Conntrack bytes (may need POM kernel patch)
  - Conntrack marking or CONNMARK (may need POM kernel patch)
Run..
- time make dep bzImage modules 2>&1 | tee make.out
Review make.out for relevant error messages
run: make modules_install
run: make install
reboot with the new kernel to check that it all works.
Run "uname -a" to verify that it really is the new kernel you are using.
Try "modprobe ipt_rope" to ensure that the rope module loads into the kernel.

Obtaining The IpTables Source

Download the iptables source version corresponding to that installed in your distro. Or: install the SRPM and run "rpmbuild -bp" on it to prepare the sources with local OS-specific patches. I used this latter approach on my RedHat 8.0 development server - with iptables-1.2.8.

Patching IpTables

Copy these files from the Rope software into the iptables source tree..

File	Target Location	Comment
libipt_rope.c	extensions
rope.h	extensions	for version 20050315 and later
rope-enum.h	"extensions" directory	only if present in release
rope-util.h	"extensions" directory	only if present in release
ipt_rope.h	include/linux/netfilter_ipv4	only if present in release
rope-test	"extensions" as ".rope-test"	dont miss out that leading full-stop!

Give the "extensions/.rope-test" file execute permissions with ..

chmod +x extensions/.rope-test

Edit extensions/Makefile and add the word "rope" to the end of the line that sets the variable PF_EXT_SLIB.

Building The Patched IpTables

Run "make" and "make install" as directed in the "INSTALL" file of iptables.
Try "iptables -m rope --help" to verify that the new module is now part of the iptables user-space tool.

Pray, Reboot And Check

If all has gone well, a reboot of the system should bring the updated software into memory, including the new iptables Rope module.

Verify that you are running the correct kernel version using the command
- uname -vr
Verify that the Rope module is loadable using..
- insmod ipt_rope