One way to compile xtables-addons without error

Contents

There seems to be some consistency on how to compile xtables-addons.  Notice I didn’t suggest an agreement in the more popular approaches.  It seems that much of the approach is more of a copy and paste from one site to the next with some slight variation.  What generally isn’t immediately obvious is the version of CentOS used or the version of xtables-addons used.  In many cases, xtables-addons will not compile because of errors.  Here I will attempt to clarify a few things.

Generally, it is accepted practice to download the latest and greatest.  This is not the case with xtables-addons on CentOS 6.x.  The version of xtables-addons is dependent on the version of the kernel. That said, we will use version 1.47 of xtables-addons.

The goal of this article is not rehash what xtables-addons is or the general installation of the xtables-addons; however, how to work through the errors.

There are two problems I had encountered.

The First Problem

The first are the instructions on downloading and extracting from the archive.  This didn’t work for me at first. The hiccup was that xz extension.

wget http://downloads.sourceforge.net/project/xtables-addons/Xtables-addons/xtables-addons-1.47.tar.xz
tar xf xtables-addons-1.47.tar.xz

As it turns out if xz is installed, tar will extract that file format without any additional switches.  So install xz and while we are at it, some of you may not have wget installed either.

yum install -y xz wget

The Second Problem

After extracting the archive and are ready to ./configure; make; make install  The process fails at make with xtnu_ipv6_find_hdr and too few arguments to function ipv6_find_hdr errors.

xtables-01

One solution is to navigate to your /usr/src/kernels/$(uname -r)/include/linux/autoconf.h and comment out one line.

#define CONFIG_IP6_NF_IPTABLES_MODULE 1

To this.

/* #define CONFIG_IP6_NF_IPTABLES_MODULE 1 */

Instead of modifying the kernel source, others suggest modifying the mconfig file of the offending options.  In which case, that does not work on it’s own with xtables-addons 1.47; however, modifying the /opt/xtables-addons-1.47/mconfig file had worked on xtables-addons 1.41 through 1.46 with different options being commented out.

The Solution

Modifying the source for the kernel, which doesn’t seem to be a wise option.  Modifying the mconfig file to omit options doesn’t seem ideal. The options are there for a reason, is my thought.  A pattern emerged. The main objective with all of these modifications is to “disable” the IPv6 functions that prevent a successful compile. So my thought is that I shouldn’t touch the kernel source and there is no need to remove complete options.  Let’s focus on the “offending” code.  I determined that there is an IF statement in each of the following files that would later be found in the code to attempt to apply the IPv6 features and fail. Th easiest approach for me is to delete the one line from each of the following files in /opt/xtables-addons-1.47/extensions leaving the IF statement in tact without a payload.

sed -i '/define WITH_IPV6/d' compat_xtables.c xt_psd.c xt_length2.c xt_TARPIT.c xt_SYSRQ.c xt_RAWNAT.c

In the end the code compiled successfully with all options and without modifying the kernel source.  While this works, I am not 100% confident that this is an ideal solution, but it seems logical.