netman74501 DD-WRT Novice
Joined: 11 Mar 2009 Posts: 6
|
Posted: Sat Sep 04, 2021 19:24 Post subject: How-to: Compile TEE module for port mirroring (for R7000P) |
|
Preface:
Greetings!
This information was hard to come by, so I thought I would share how to compile the TEE module for DD-WRT. I did not find any information for this already on the forums. My apologies if it exists.
While I have tried to make this guide computer\router agnostic, the commands are specific to my computer and router. You can find relevant details about my computer and router at the end of this post. Additionally, you can download the required patch file and pre-compiled versions of the netfilter\TEE modules from the attachments section of this post (may need to be logged in). Use at your own risk.
I do not use IPv6 and have included commands to disable it. Skip them if you want to keep IPv6 enabled. The attached IPv6 modules are untested. Also, I assume you already have DD-WRT installed on your router.
Alrighty then... Let's get to it!
On your computer:
First we need to install the required build packages:
Code: | sudo apt install gcc g++ binutils patch bzip2 flex bison make gettext unzip zlib1g-dev libc6 subversion xz-utils
|
Let's create a directory to work in, change to it, download the needed toolchain, checkout DD-WRT's source from SVN, and extract the downloaded toolchain:
Code: | mkdir /path/to/working/dir/
cd /path/to/working/dir/
wget http://download1.dd-wrt.com/dd-wrtv2/downloads/toolchains/toolchains.tar.xz
svn co svn://svn.dd-wrt.com/DD-WRT/src/linux/universal/linux-4.4 -r 47256
tar -xvf toolchains.tar.xz toolchain-arm_cortex-a9_gcc-8.2.0_musl_eabi
|
NOTE: We are checking out a specific build number(47256) from SVN. You will need to change this to match the build your router is currently running.
NOTE: The tar command extracts only the needed toolchain for my router. You may wish to extract a different toolchain or all.
Download the patch file from the attachments section of this post to your working directory, then apply the patch:
Code: | patch linux-4.4/drivers/net/wireless/Kconfig < Kconfig.txt |
NOTE: This patch comments the RALINK_DEVICE and SOC_MT7620_OPENWRT "if" blocks within the Kconfig file. You can do this manually if you wish. I could not find any other way to exclude these sections from being built. The drivers for these sections are not included in SVN and therefore you will receive an error during compiling if you skip this. You will need to obtain the drivers and skip this command if your router requires them.
Add the toolchain to your path so that the compiler is able to locate it, change directory to the SVN source we checked out, and copy a router specific default config:
Code: | export PATH=$PATH:$(pwd)/toolchain-arm_cortex-a9_gcc-8.2.0_musl_eabi/bin
cd linux-4.4/
cp .config_northstar_smp .config |
NOTE: You may need to change this to match your router's hardware. To find the correct config, SSH into your router and issue the command "dmesg | grep -i machine". Cross-reference this with your current build's kernel string listed on your router's status page.
Enable the TEE module and disable IPv6:
Code: | echo "CONFIG_NETFILTER_XT_TARGET_TEE=m" >> .config
echo "CONFIG_IPV6=n" >> .config #only if you want to disable IPv6 |
Now that we have everything we need and all is configured, it is time to start compiling!
Code: | make modules ARCH=arm |
NOTE: You may be prompted for additional details. Just press enter to accept the defaults.
The built modules will be in various locations. Let's tidy up by copying them to a new directory:
Code: | cd ..
mkdir -p build
cp linux-4.4/net/ipv6/netfilter/nf_dup_ipv6.ko build/ #only if IPv6 was not disabled
cp linux-4.4/net/ipv4/netfilter/nf_dup_ipv4.ko build/
cp linux-4.4/net/netfilter/xt_TEE.ko build/ |
If you would like to check the dependencies of the modules, you can do so with:
Code: | modinfo build/nf_dup_ipv6.ko #only if IPv6 was not disabled
modinfo build/nf_dup_ipv4.ko
modinfo build/xt_TEE.ko |
It's time to copy our new modules to the router:
Code: | scp -r root@router:/tmp /path/to/working/dir/build |
Congrats! You have just completed building the netfilter and TEE modules for your router.
On your router:
Now let's SSH into the router and insert the modules:
Code: | ssh root@router
cd /tmp/build
insmod ipv6 #only if IPv6 was not disabled
insmod nf_dup_ipv6.ko #only if IPv6 was not disabled
insmod nf_dup_ipv4.ko
insmod xt_TEE.ko |
Great! Our modules should be inserted and we can now use the built-in iptables command to enable port mirroring. There is plenty of information available for iptables so I won't go into detail but, all of the following commands have been verified to work:
Code: | iptables -t mangle -I PREROUTING -j TEE --gateway [sniffer's ip]
iptables -t mangle -I POSTROUTING -j TEE --gateway [sniffer's ip]
iptables -t mangle -I PREROUTING -i br0 -j TEE --gateway [sniffer's ip]
iptables -t mangle -I POSTROUTING -o br0 -j TEE --gateway [sniffer's ip]
iptables -t mangle -I PREROUTING -s [target's ip] -j TEE --gateway [sniffer's ip]
iptables -t mangle -I POSTROUTING -d [targets's ip] -j TEE --gateway [sniffer's ip]
iptables -t mangle -I FORWARD -j TEE --gateway [sniffer's ip]
iptables -t mangle -D PREROUTING 1
iptables -t mangle -D POSTROUTING 1
iptables -t mangle -D FORWARD 1
iptables -F -t mangle |
You can check if a rule was inserted into iptables with:
Code: | iptables -L -n -v -t mangle --line-numbers |
The output should look similar to the following:
Code: | Chain PREROUTING (policy ACCEPT 10 packets, 1048 bytes)
num pkts bytes target prot opt in out source destination
1 549 49886 TEE all -- * * 192.168.2.115 0.0.0.0/0 TEE gw:192.168.2.33 |
Do note that you will still need to find a way to make the inserted modules persist across reboots. Since I have Entware installed, I copied the modules to a directory on my USB drive and then added the following to my startup script in DD-WRT (the commands would not work in the firewall script for some reason):
Code: | insmod /opt/modules/nf_dup_ipv4.ko
insmod /opt/modules/xt_TEE.ko
iptables -t mangle -A PREROUTING -j TEE --gateway [sniffer's ip] |
Also of note: When I first started duplicating packets to the computer I wanted to be my sniffer, I was confused because the packets were being duplicated across my whole network -- not just the IP address I specified for the gateway in iptables. This turned out to be due to a bridge interface that had been setup by a virtual machine on the computer. I removed the bridge interface and the duplication of packets across the whole network stopped.
I sincerely hope that this helps others in their endeavors to enable port mirroring on their router! Until next time...
Computer Details:
OS: Xubuntu 20.04
Release: Ubuntu 20.04.3 LTS focal
Kernel Version: Linux 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
CPU Model: Intel(R) Celeron(R) CPU B800
Router Details:
Router Model: Netgear R7000P
Firmware Version: DD-WRT v3.0-r47256 std (08/25/21)
Kernel Version: Linux 4.4.281 #3923 SMP Wed Aug 25 02:51:09 +07 2021 armv7l
CPU Model: Broadcom BCM4708
iptables Version: iptables v1.8.5 (legacy) |
|