upgrade-iptables
文章目录
查看
# hostnamectl
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-957.12.1.el7.x86_64
Architecture: x86-64
E0314 18:12:59.860611 18056 proxier.go:430] Failed to execute iptables-restore for nat: exit status 1 (iptables-restore: line 7 failed
E0406 08:55:09.016861 14011 proxier.go:430] Failed to execute iptables-restore for nat: exit status 1 (iptables-restore: line 7 failed
E0501 22:26:04.529463 25878 proxier.go:430] Failed to execute iptables-restore for nat: exit status 1 (iptables-restore: line 6 failed
E0506 11:18:24.209635 26103 proxier.go:430] Failed to execute iptables-restore for nat: exit status 1 (iptables-restore: line 7 failed
E0506 11:18:48.060733 26595 proxier.go:430] Failed to execute iptables-restore for nat: exit status 1 (iptables-restore: line 7 failed
E0506 11:20:10.861899 27305 proxier.go:430] Failed to execute iptables-restore for nat: exit status 1 (iptables-restore: line 6 failed
E0506 11:24:45.973404 27939 proxier.go:430] Failed to execute iptables-restore for nat: exit status 1 (iptables-restore: line 6 failed
E0506 11:26:47.890014 29052 proxier.go:430] Failed to execute iptables-restore for nat: exit status 1 (iptables-restore: line 7 failed
E0526 11:19:26.737418 6591 proxier.go:1187] Failed to execute iptables-restore: exit status 2 (iptables-restore v1.4.21: Couldn't load target `KUBE-MARK-DROP':No such file or directory
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
####
I0528 16:53:50.862567 12228 iptables.go:327] running iptables-save [-t nat]
I0528 16:53:50.865041 12228 iptables.go:391] running iptables-restore [-w 5 -T nat --noflush --counters]
E0528 16:53:50.873001 12228 proxier.go:430] Failed to execute iptables-restore for nat: exit status 1 (iptables-restore: line 7 failed
)
sudo iptables --version
iptables v1.4.21
sudo iptables-restore --help
Usage: iptables-restore [-b] [-c] [-v] [-V] [-t] [-h] [-W usecs]
[ --binary ]
[ --counters ]
[ --verbose ]
[ --version]
[ --test ]
[ --help ]
[ --noflush ]
[ --wait=<seconds>
[ --wait-interval=<usecs>
[ --table=<TABLE> ]
[ --modprobe=<command>]
编译
## 安装gcc等依赖
sudo yum install -y net-tools curl wget git vim jq socat conntrack ipvsadm ipset sysstat libseccomp gcc gcc-c++ cmake make bzip2 automake autoconf libtool flex bison pcre-devel zlib-devel openssl openssl-devel bridge-utils bind-utils
sudo yum install -y libnfnetlink-devel libnl3 libnl3-devel systemd-devel libuuid-devel
sudo yum install -y device-mapper-persistent-data lvm2
sudo yum install -y libmnl-devel libnftnl-devel libnetfilter_conntrack-devel libnetfilter_queue-devel libpcap-devel
## 下载
wget http://ftp.netfilter.org/pub/iptables/iptables-1.6.2.tar.bz2
tar -xjf iptables-1.6.2.tar.bz2
cd iptables-1.6.2
./configure --prefix=/usr/local --with-xt-lock-name=/var/run/xtables.lock --enable-libipq --enable-nfsynproxy --enable-bpf-compiler
## 编译
make
## 安装
sudo make install
## 替换
sudo rm -rf /usr/sbin/iptables
sudo rm -rf /usr/sbin/iptables-restore
sudo rm -rf /usr/sbin/iptables-save
sudo rm -rf /usr/bin/iptables-xml
sudo ln -s /usr/local/sbin/xtables-multi /usr/bin/iptables-xml
sudo ln -s /usr/local/sbin/xtables-multi /usr/sbin/iptables
sudo ln -s /usr/local/sbin/xtables-multi /usr/sbin/iptables-restore
sudo ln -s /usr/local/sbin/xtables-multi /usr/sbin/iptables-save
## 查看版本
iptables --version
iptables v1.6.2
## 查看iptables-restore
sudo iptables-restore --help
Usage: iptables-restore [-c] [-v] [-V] [-t] [-h] [-n] [-w secs] [-W usecs] [-T table] [-M command]
[ --counters ]
[ --verbose ]
[ --version]
[ --test ]
[ --help ]
[ --noflush ]
[ --wait=<seconds>
[ --wait-interval=<usecs>
[ --table=<TABLE> ]
[ --modprobe=<command> ]
## 重启电脑
sudo reboot
报错
*** Error: No suitable libmnl found. ***
Please install the 'libmnl' package
Or consider --disable-nftables to skip
iptables-compat over nftables support.
*** Error: no suitable libnftnl found. ***
Please install the 'libnftnl' package
Or consider --disable-nftables to skip
iptables-compat over nftables support.
---> Package libmnl-devel.x86_64 0:1.0.3-7.el7 will be installed
---> Package libnftnl.x86_64 0:1.0.8-1.el7 will be installed
---> Package libnetfilter_conntrack-devel.x86_64 0:1.0.6-1.el7_3 will be installed
---> Package libnetfilter_queue-devel.x86_64 0:1.0.2-2.el7_2 will be installed
Iptables Configuration:
IPv4 support: yes
IPv6 support: yes
Devel support: yes
IPQ support: no
Large file support: yes
BPF utils support: no
nfsynproxy util support: no
nftables support: yes
connlabel support: no
Build parameters:
Put plugins into executable (static): no
Support plugins via dlopen (shared): yes
Installation prefix (--prefix): /usr/local
Xtables extension directory: /usr/local/lib/xtables
Pkg-config directory: /usr/local/lib/pkgconfig
Xtables lock file: /run/xtables.lock
Host: x86_64-pc-linux-gnu
GCC binary: gcc
Iptables modules that will not be built: connlabel
WARNING: libnetfilter_conntrack not found, connlabel match will not be built
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating extensions/GNUmakefile
config.status: creating include/Makefile
config.status: creating iptables/Makefile
config.status: creating iptables/xtables.pc
config.status: creating iptables/iptables.8
config.status: creating iptables/iptables-extensions.8.tmpl
config.status: creating iptables/iptables-save.8
config.status: creating iptables/iptables-restore.8
config.status: creating iptables/iptables-apply.8
config.status: creating iptables/iptables-xml.1
config.status: creating libipq/Makefile
config.status: creating libipq/libipq.pc
config.status: creating libiptc/Makefile
config.status: creating libiptc/libiptc.pc
config.status: creating libiptc/libip4tc.pc
config.status: creating libiptc/libip6tc.pc
config.status: creating libxtables/Makefile
config.status: creating utils/Makefile
config.status: creating include/xtables-version.h
config.status: creating include/iptables/internal.h
config.status: creating utils/nfnl_osf.8
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
Iptables Configuration:
IPv4 support: yes
IPv6 support: yes
Devel support: yes
IPQ support: no
Large file support: yes
BPF utils support: no
nfsynproxy util support: no
nftables support: yes
connlabel support: no
Build parameters:
Put plugins into executable (static): no
Support plugins via dlopen (shared): yes
Installation prefix (--prefix): /usr/local
Xtables extension directory: /usr/local/lib/xtables
Pkg-config directory: /usr/local/lib/pkgconfig
Xtables lock file: /run/xtables.lock
Host: x86_64-pc-linux-gnu
GCC binary: gcc
Iptables modules that will not be built: connlabel
Iptables Configuration:
IPv4 support: yes
IPv6 support: yes
Devel support: yes
IPQ support: no
Large file support: yes
BPF utils support: no
nfsynproxy util support: no
nftables support: yes
connlabel support: yes
error: missing libpcap library required by bpf compiler or nfsynproxy tool
Iptables Configuration:
IPv4 support: yes
IPv6 support: yes
Devel support: yes
IPQ support: yes
Large file support: yes
BPF utils support: yes
nfsynproxy util support: yes
nftables support: yes
connlabel support: yes
Build parameters:
Put plugins into executable (static): no
Support plugins via dlopen (shared): yes
Installation prefix (--prefix): /usr/local
Xtables extension directory: /usr/local/lib/xtables
Pkg-config directory: /usr/local/lib/pkgconfig
Xtables lock file: /var/run/xtables.lock
Host: x86_64-pc-linux-gnu
GCC binary: gcc
参考
上次更新 2019-05-29
原始文档 查看本文 Markdown 版本 »