How-to: Compile TEE module for port mirroring (for R7000P)

Post new topic   Reply to topic    DD-WRT Forum Index -> Contributions Upload
Author Message
netman74501
DD-WRT Novice


Joined: 11 Mar 2009
Posts: 6

PostPosted: Sat Sep 04, 2021 19:24    Post subject: How-to: Compile TEE module for port mirroring (for R7000P) Reply with quote
Preface:

Greetings!

This information was hard to come by, so I thought I would share how to compile the TEE module for DD-WRT. I did not find any information for this already on the forums. My apologies if it exists.

While I have tried to make this guide computer\router agnostic, the commands are specific to my computer and router. You can find relevant details about my computer and router at the end of this post. Additionally, you can download the required patch file and pre-compiled versions of the netfilter\TEE modules from the attachments section of this post (may need to be logged in). Use at your own risk.

I do not use IPv6 and have included commands to disable it. Skip them if you want to keep IPv6 enabled. The attached IPv6 modules are untested. Also, I assume you already have DD-WRT installed on your router. Smile

Alrighty then... Let's get to it!

On your computer:

First we need to install the required build packages:

Code:
sudo apt install gcc g++ binutils patch bzip2 flex bison make gettext unzip zlib1g-dev libc6 subversion xz-utils

Let's create a directory to work in, change to it, download the needed toolchain, checkout DD-WRT's source from SVN, and extract the downloaded toolchain:

Code:
mkdir /path/to/working/dir/
cd /path/to/working/dir/
wget http://download1.dd-wrt.com/dd-wrtv2/downloads/toolchains/toolchains.tar.xz
svn co svn://svn.dd-wrt.com/DD-WRT/src/linux/universal/linux-4.4 -r 47256
tar -xvf toolchains.tar.xz toolchain-arm_cortex-a9_gcc-8.2.0_musl_eabi

NOTE: We are checking out a specific build number(47256) from SVN. You will need to change this to match the build your router is currently running.
NOTE: The tar command extracts only the needed toolchain for my router. You may wish to extract a different toolchain or all.

Download the patch file from the attachments section of this post to your working directory, then apply the patch:

Code:
patch linux-4.4/drivers/net/wireless/Kconfig < Kconfig.txt

NOTE: This patch comments the RALINK_DEVICE and SOC_MT7620_OPENWRT "if" blocks within the Kconfig file. You can do this manually if you wish. I could not find any other way to exclude these sections from being built. The drivers for these sections are not included in SVN and therefore you will receive an error during compiling if you skip this. You will need to obtain the drivers and skip this command if your router requires them.

Add the toolchain to your path so that the compiler is able to locate it, change directory to the SVN source we checked out, and copy a router specific default config:

Code:
export PATH=$PATH:$(pwd)/toolchain-arm_cortex-a9_gcc-8.2.0_musl_eabi/bin
cd linux-4.4/
cp .config_northstar_smp .config

NOTE: You may need to change this to match your router's hardware. To find the correct config, SSH into your router and issue the command "dmesg | grep -i machine". Cross-reference this with your current build's kernel string listed on your router's status page.

Enable the TEE module and disable IPv6:

Code:
echo "CONFIG_NETFILTER_XT_TARGET_TEE=m" >> .config
echo "CONFIG_IPV6=n" >> .config #only if you want to disable IPv6

Now that we have everything we need and all is configured, it is time to start compiling!

Code:
make modules ARCH=arm

NOTE: You may be prompted for additional details. Just press enter to accept the defaults.

The built modules will be in various locations. Let's tidy up by copying them to a new directory:

Code:
cd ..
mkdir -p build
cp linux-4.4/net/ipv6/netfilter/nf_dup_ipv6.ko build/ #only if IPv6 was not disabled
cp linux-4.4/net/ipv4/netfilter/nf_dup_ipv4.ko build/
cp linux-4.4/net/netfilter/xt_TEE.ko build/

If you would like to check the dependencies of the modules, you can do so with:

Code:
modinfo build/nf_dup_ipv6.ko #only if IPv6 was not disabled
modinfo build/nf_dup_ipv4.ko
modinfo build/xt_TEE.ko

It's time to copy our new modules to the router:

Code:
scp -r root@router:/tmp /path/to/working/dir/build


Congrats! You have just completed building the netfilter and TEE modules for your router.

On your router:

Now let's SSH into the router and insert the modules:

Code:
ssh root@router
cd /tmp/build
insmod ipv6 #only if IPv6 was not disabled
insmod nf_dup_ipv6.ko #only if IPv6 was not disabled
insmod nf_dup_ipv4.ko
insmod xt_TEE.ko

Great! Our modules should be inserted and we can now use the built-in iptables command to enable port mirroring. There is plenty of information available for iptables so I won't go into detail but, all of the following commands have been verified to work:

Code:
iptables -t mangle -I PREROUTING -j TEE --gateway [sniffer's ip]
iptables -t mangle -I POSTROUTING -j TEE --gateway [sniffer's ip]
iptables -t mangle -I PREROUTING -i br0 -j TEE --gateway [sniffer's ip]
iptables -t mangle -I POSTROUTING -o br0 -j TEE --gateway [sniffer's ip]
iptables -t mangle -I PREROUTING -s [target's ip] -j TEE --gateway [sniffer's ip]
iptables -t mangle -I POSTROUTING -d [targets's ip] -j TEE --gateway [sniffer's ip]
iptables -t mangle -I FORWARD -j TEE --gateway [sniffer's ip]

iptables -t mangle -D PREROUTING 1
iptables -t mangle -D POSTROUTING 1
iptables -t mangle -D FORWARD 1

iptables -F -t mangle

You can check if a rule was inserted into iptables with:

Code:
iptables -L -n -v -t mangle --line-numbers

The output should look similar to the following:

Code:
Chain PREROUTING (policy ACCEPT 10 packets, 1048 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      549 49886 TEE        all  --  *      *       192.168.2.115        0.0.0.0/0            TEE gw:192.168.2.33

Do note that you will still need to find a way to make the inserted modules persist across reboots. Since I have Entware installed, I copied the modules to a directory on my USB drive and then added the following to my startup script in DD-WRT (the commands would not work in the firewall script for some reason):

Code:
insmod /opt/modules/nf_dup_ipv4.ko
insmod /opt/modules/xt_TEE.ko
iptables -t mangle -A PREROUTING -j TEE --gateway [sniffer's ip]

Also of note: When I first started duplicating packets to the computer I wanted to be my sniffer, I was confused because the packets were being duplicated across my whole network -- not just the IP address I specified for the gateway in iptables. This turned out to be due to a bridge interface that had been setup by a virtual machine on the computer. I removed the bridge interface and the duplication of packets across the whole network stopped.

I sincerely hope that this helps others in their endeavors to enable port mirroring on their router! Until next time...

Computer Details:

OS: Xubuntu 20.04
Release: Ubuntu 20.04.3 LTS focal
Kernel Version: Linux 5.4.0-81-generic #91-Ubuntu SMP Thu Jul 15 19:09:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
CPU Model: Intel(R) Celeron(R) CPU B800

Router Details:

Router Model: Netgear R7000P
Firmware Version: DD-WRT v3.0-r47256 std (08/25/21)
Kernel Version: Linux 4.4.281 #3923 SMP Wed Aug 25 02:51:09 +07 2021 armv7l
CPU Model: Broadcom BCM4708
iptables Version: iptables v1.8.5 (legacy)
Sponsor
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Fri Nov 26, 2021 7:52    Post subject: Reply with quote
@netman74501 Hello =)

Thanks for this great and well writen How-to!
I believe these types of contributions belong in the wiki.

I will sticky it for now so it doesn't get buried in the support part, and have cleanup the extra breaks in code blocks to compress it a bit.

I think however that the best place for this contribution is on our Contributions Upload sub-forum, so I have taken the liberty to move it there.

Thanks again really helpful =)

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Contributions Upload All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum