1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to compile tomato from git sources

Discussion in 'Tomato Firmware' started by onehomelist, May 15, 2010.

  1. onehomelist

    onehomelist Addicted to LI Member

    Most of this guide is based on advise given by teddy_bear in this post http://www.linksysinfo.org/forums/showthread.php?t=64420

    I wanted to add string match module to iptables, so I'll be showing you the steps I took to do it.

    I did it on ubuntu 10.04 desktop.

    First you need to install build tools. Enter these 3 commands into the terminal

    Code:
    sudo apt-get install gcc g++ binutils patch bzip2 flex bison make gettext unzip zlib1g-dev 
    sudo apt-get install libc6 libncurses5-dev  automake automake1.7 automake1.9 
    sudo apt-get install git-core
     
    Create a directory and cd into it
    Code:
    mkdir tomato_git
    cd tomato_git
    Enter this command
    Code:
    git clone --depth 1 git://repo.or.cz/tomato.git
    You may have to wait a bit. It''ll get the source code

    Once you see 100% on the terminal enter this into the prompt
    Code:
    cd tomato
    git tag | grep tomato*
    As you entre the second command above you'll get a list of all the tomato releases. Copy the release which you want to extract. I copied ' tomatousb-K26-1.27.9048.beta18' and added it to the command below

    Code:
    git checkout tomatousb-K26-1.27.9048.beta18
    The toolchain and sources will be extracted into ~/tomato_git/tomato directory

    Create a a directory in the user home folder
    Code:
    mkdir ~/tomato
    Move the extracted contents from ~/tomato_git/tomato to ~/tomato by copying all the visible files and directories and pasting them at ~/tomato

    Enter this in the treminal to create a symlink
    Code:
    sudo ln -s ~/tomato/tools/brcm /opt/brcm
    Add PATH by entering this into the terminal

    Code:
    export PATH=$PATH:/opt/brcm/hndtools-mipsel-uclibc/bin;export PATH=$PATH:/opt/brcm/hndtools-mipsel-linux/bin
    Do cd into source directory

    Code:
    cd tomato/release/src-rt
    Code:
    make clean 
    Enter this to compile the firmware.
    Code:
    make V1=9048 V2=MIPSR2-beta18 r2m
    The firmware image will be in tomato/release/src-rt/image directory.

    Noq I am going to explain what I did to get string match support working on tomato

    cd into linux kernel directory

    Code:
    cd tomato/release/src-rt/linux/linux-2.6
    edit the file config_base
    Code:
    nano config_base
    Press ctrl+w type 'string' without quotes and press enter

    Remove the line
    Code:
    # CONFIG_NETFILTER_XT_MATCH_STRING is not set
    Add 'CONFIG_NETFILTER_XT_MATCH_STRING=m' to the end of that para. It should look like this

    Code:
    CONFIG_NETFILTER_XT_MATCH_GEOIP=m
    CONFIG_NETFILTER_XT_MATCH_STRING=m
    #
    # IP: Netfilter Configuration
    # 
    
    Do ctrl+o, type enter and do ctrl+x

    Now cd into iptables extension directory

    Code:
    cd ../../router/iptables/extensions/
    open the Makefile

    nano Makefile

    add 'string' to the following lines as I have done it

    Code:
    #PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm rpc sctp standard state string tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT
    Code:
    PF_EXT_SLIB+=length limit mac mark mport multiport recent standard state string
    type ctrl+o and ctrl+x

    go back to the src-rt directory
    Code:
    cd ../../../
    DO this

    Code:
    make clean
    Code:
    make V1=9045 V2=MIPSR2-beta11 r2m
    The above command depend on which release you are trying to build from.

    Now you'll have the image which has the string module in it. Flash it to your router. Go to Administration -> Scripts -> firewall and add this

    Code:
    insmod xt_string.ko
    
    # Algo string
     iptables -A FORWARD -m string --algo bm --string "BitTorrent" -j DROP 
     iptables -A FORWARD -m string --algo bm --string "BitTorrent protocol" -j DROP
     iptables -A FORWARD -m string --algo bm --string "peer_id=" -j DROP
     iptables -A FORWARD -m string --algo bm --string ".torrent" -j DROP
     iptables -A FORWARD -m string --algo bm --string "announce.php?passkey=" -j DROP 
     iptables -A FORWARD -m string --algo bm --string "torrent" -j DROP
     iptables -A FORWARD -m string --algo bm --string "announce" -j DROP
     iptables -A FORWARD -m string --algo bm --string "info_hash" -j DROP 
     iptables -A FORWARD -m string --algo bm --string "/default.ida?" -j DROP  #codered virus
     iptables -A FORWARD -m string --algo bm --string ".exe?/c+dir" -j DROP  #nimda virus
     iptables -A FORWARD -m string --algo bm --string ".exe?/c_tftp" -j DROP  #nimda virus 
    # bittorrent key
     iptables -A FORWARD -m string --string "peer_id" --algo kmp --to 65535 -j DROP
     iptables -A FORWARD -m string --string "BitTorrent" --algo kmp --to 65535 -j DROP
     iptables -A FORWARD -m string --string "BitTorrent protocol" --algo kmp --to 65535 -j DROP
     iptables -A FORWARD -m string --string "bittorrent-announce" --algo kmp --to 65535 -j DROP
     iptables -A FORWARD -m string --string "announce.php?passkey=" --algo kmp --to 65535 -j DROP
    # DHT keyword
     iptables -A FORWARD -m string --string "info_hash" --algo kmp --to 65535 -j DROP
     iptables -A FORWARD -m string --string "get_peers" --algo kmp --to 65535 -j DROP
     iptables -A FORWARD -m string --string "announce" --algo kmp --to 65535 -j DROP
     iptables -A FORWARD -m string --string "announce_peers" --algo kmp --to 65535 -j DROP
    
    click save

    ssh into the router and enter this command
    Code:
    service firewall restart
    you can see the chains you had applied by typing

    Code:
    iptables -L
     
  2. mstombs

    mstombs Network Guru Member

    Useful info as to how you got to where you are, but I don't recall that many steps in the git checkout?

    And what do you expect to achieve adding all those drops to the INPUT chain? I'd recommend you insert in the FORWARD chain, or one of the existing chains such as "wanout" if that's already inserted in the correct place in FORWARD.
     
  3. onehomelist

    onehomelist Addicted to LI Member

    I remember how speedily you and Toastman helped me when I compiled tomato for the first time. Thanks mstombs for the info. You'd suggested same when I had posted the above firewall script in a different thread. I'll certainly try out your advice.
     
  4. Toastman

    Toastman Super Moderator Staff Member Member

    Are those additions to iptables the doing the same thing as adding a string into the GUI "Access restrictions" ??
     
  5. mstombs

    mstombs Network Guru Member

    Gosh this is an old thread dug up! I recall Tomato access restrictions use a custom iptables extension by Jon - he must have had a reason not to use an existing option - but maybe worth revisiting becuase iptables/ netfilter code has been upgraded many times over the years.
     
  6. shibby20

    shibby20 Network Guru Member

    How to compile any version of Tomato? with or without usb support? with or without vpn support? Mips1 or mips2 version?

    Maybe you explain all parameters of make...
     
  7. rhester72

    rhester72 Network Guru Member

    "make help" explains it all.

    Rodney
     
  8. shibby20

    shibby20 Network Guru Member

    well for what you howto, if all can find in help, man or internet?
     
  9. Toastman

    Toastman Super Moderator Staff Member Member

    Look in the makefile also. It' surprising what you'll find.
     

Share This Page