Chronicles of iplist in Debian NSLU2 part 2

Notes on part 2

Part 2 chronicles my first attempt to build iplist on the Debian NSLU2. I started by using the official packages from the main repository, and the “standard Debian” build method used by iplist.

I should mention this was my very first experience building in the Debian platform. In addition, I have very little prior experience building software in any Linux environment. As best I could tell, I was following the right method and did not make any dumb mistake, but you never know. :)

I seemed to recall it is possible to use QEMU to set-up a virtual slug on a desktop PC, and work from there. However, I opted to work directly from the slug itself. I was not sure if this is a good idea or not, but I just wanted to get started and not mess around with a virtual machine at this time. Furthermore, some of the Debian NSLU2 pages in NSLU2-Linux site appeared to have been spammed/defaced while I was working on this, and I could not find the relevant info I need.

Getting the source code

The iplist source code can be found at the iplist website. Currently, the latest version is 0.23.

I recommend to work in a temporary subdirectory.

mkdir ~/temp
cd ~/temp

You could download the file using a web browser on a PC, then transfer it to the slug, or you could run this command from the slug itself:

wget http://downloads.sourceforge.net/iplist/iplist-0.23.tar.gz

Extract the archive:

tar xvf iplist-0.23.tar.gz

Understand the build instructions

Read the file “INSTALL” for build instructions:

cd iplist-0.23/
nano INSTALL

Install dependencies

The following dependencies were mentioned in the build instructions:

  1. g++
  2. libnetfilter-queue-dev
  3. libnfnetlink-dev
  4. zlib1g-dev

I already have g++ installed through the package “build-essential”. In any case, this command will install everything:

sudo apt-get install build-essential libnetfilter-queue-dev \
	libnfnetlink-dev zlib1g-dev

Install required tools

Since I was attempting the “standard” Debian build, the build instructions mentioned the following tools were required:

  1. debhelper
  2. fakeroot
sudo apt-get install debhelper fakeroot

Removing ipblock GUI dependencies

The iplist package came with ipblock, which is the user interface to the underlying iplist. You use ipblock in command line to start, stop, check status, etc. The ipblock was also available in GUI (it uses Java), by add the “-g” switch to the command. Obviously, for the slug with terminal only interface, we should remove the GUI parts that would cause build error.

I did not attempt the complete removal of all GUI dependencies, since that would probably require going through the entire source codes. Instead, I will remove the bare minimum necessary that would allow successful build. A quick search on Google guided me to Headless torrentbox with ipblock.

Basically, you edit the file “debian/control” and remove the GUI dependencies.

nano debian/control

Remove the last part of the line starting with “Depends:”. Specifically, delete this portion:

, openjdk-6-jre | sun-java-jre, gksu

In additional, I found the build process failed on the line containing “dh_icons” of the file “debian/rules”; so I have to remove that as well.

nano debian/rules

Find the “dh_icons” line and comment out or delete it. This line should be located near the end of the file.

Out of memory problem

My first few attempts to build iplist resulted in the following error:

g++: Internal error: Killed (program cc1plus)

This error baffled me for a while until I found GCC Bugzilla Bug 34882.

The slug’s serial port was connected to an older PC which has a serial port. I switched over my shared LCD monitor to that PC, and sure enough I saw the “Out of memory” message in the terminal.

Incidentally after this, I realised the convenience of keeping the serial output in view. Therefore, I opened a second terminal window in my work PC, ssh into the older PC and run the serial port monitor from there.

ssh user@ipaddr
picocom -b 115200 /dev/ttyS0

user referred to the user name, and ipaddr the IP address of the older PC.

To investigate the “Out of memory” error, I ran:

free -m

This showed that the slug has indeed ran out of physical memory, but the swap was actually barely used.

It appeared my current “swappiness” setting was a hinderance at this point. I had installed the Debian NSLU2 (including the swap space) into a USB thumbdrive, which was basically flash memory. Setting the swappiness to 0 greatly reduced writing to the swap and supposedly would improve the thumbdrive life span.

But to solve the “Out of memory” problem, I had to remove this custom swappiness setting. After that, the build completed successfully.

Building iplist

Once all the kinks were worked out, building iplist took one command:

make deb

It took about 24 minutes to run the entire build in the slug. I kept wanting to cheer the little fellow on: come on little buddy; you can make it little buddy. :)

Installing iplist

Once build was completed, I got the deb package one directory up. Use “dpkg” to install it:

cd ..
sudo dpkg -i iplist_0.23-0lenny1_arm.deb

Noticed the package was marked “lenny”, but I was actually running Etch Debian. It was able to install though.

Configuring iplist

Before test running iplist for the first time, I prepared the configuration. I was not sure if this was absolutely necessary, but I got some information about it from HOWTO: Graphical IP Blocker.



Create file “/var/cache/iplist/whitelist”:

sudo nano /var/cache/iplist/whitelist

Added the IPs of the localhost and local network; e.g.

localhost:127.0.0.1-127.0.0.1
LocalNetwork:192.168.1.1-192.168.1.255



Edit file “/etc/ipblock.conf” to add the previous file “whitelist” into the ALLOW_LIST:

sudo nano /etc/ipblock.conf

Change line:

ALLOW_LIST=""

to:

ALLOW_LIST="whitelist"

Download block lists and start iplist

it’s almost time to start iplist for the first time. To find out the command line options:

sudo ipblock -h



This was the output:

IPblock 0.23
Copyright (C) 2008 Serkan Sakar 

Usage: ipblock [options]

Options:
 -s	start blocking
 -d	stop blocking
 -r	restart IPblock
 -u	update lists
 -c	convert lists to ipl format
 -g	start IPblock GUI
 -l	show status
 -v	show version and exit
 -h	show this help



First, I tested downloading the preset block lists.

sudo ipblock -u

This took a few minutes. After it completed I checked the directory “/var/cache/iplist” to see if the preset block lists were fully downloaded.

ls /var/cache/iplist/

Hurray! Success!

Now, start iplist:

sudo ipblock -s

It took about 6 seconds, then the prompt returned.

Did it work?

Unfortunately, it didn’t. Everything appeared to be blocked, and if I recalled correctly, I have to reboot once because my ssh connection stopped responding.

Investigating the problem

To investigate what went wrong, I ran this command:

sudo cat /usr/var/log/syslog | grep iplist

This revealed an error message:

error: can't set packet_copy mode

Some googling brought me to Debian Bug report logs – #466645.

The bug was unresolved. A patch was suggested but there was no further reply from the original bug reporter. So, it’s unclear whether the patch worked or not.

Conclusion

In closing, I have not succeeded in the first attempt, getting iplist to work in the Debian NSLU2.

Next step: find out how to apply the proposed patch from the Debian bug report. And how to rebuild libnfnetlink after that.

Comments 10

  1. uljanow wrote:

    Nice Chronicles! I’ve uploaded a modified version for arm that might work. It fixes the packet_copy error. The version 0.2 uses less RAM than the latest version but iplist isn’t optimized to run on devices with 32MB of RAM.

    http://iplist.sourceforge.net/source/iplist-0.2~arm.tar.gz

    Regards,
    Serkan

    Posted 24 Nov 2008 at 5:07 pm
  2. uljanow wrote:

    I’ve uploaded a modified version that might work on ARM. It fixed the packet_mode error , uses less RAM than the latest version and doesn’t have GUI support. However iplist is not optimized to run on embedded devices.

    http://iplist.sf.net/source/iplist-0.2~arm.tar.gz

    Regards,
    Serkan

    p.s. this might be a double post

    Posted 24 Nov 2008 at 6:42 pm
  3. chewearn wrote:

    hi Serkan,
    Thanks for the help! I will try it out.

    I should mention I have two other blog posts already in the pipeline.

    First, patching the source code, which turned out did not solve the problem. This post will be published on Thursday.

    Sometime next week, another blog post will describe building iplist with the latest netfilter.org source code. The packet_mode error was solved using that. However, I now see a new problem, which might be related to missing GUI (but I haven’t got the chance to debug).

    Your new code release (with GUI removed) will certainly save me a lot of time. Thank you!

    p.s. Your first comment got wrongly flagged as spam by Askimet, sorry about that.

    Posted 24 Nov 2008 at 7:11 pm
  4. uljanow wrote:

    I’ve build a binary debian package for armel (Lenny) and tested it successfully on Qemu without any modifications of libs. I used the versatile kernel.

    http://iplist.sourceforge.net/source/iplist_0.24-0cli1_armel.deb

    Posted 25 Nov 2008 at 3:03 am
  5. chewearn wrote:

    hi Serkan
    Thanks for the assistance, I will test the new binary.

    Posted 25 Nov 2008 at 12:51 pm
  6. Alan wrote:

    I found your blog today after failing to get Moblock and nfblockd working. The latest and best source for the Slug is at http://iplist.sf.net/source/iplist-0.24~arm0.tar.gz
    This version actually appears to work, while the 24-Ubuntu3 version didn’t for me.

    I removed the allow http port, for testing and only used 2 block lists

    # cat /tmp/ipblock.log
    2008-12-07 21:34:52 URL:http://blocklist.drowning-madness.com/biss/level1.gz [3717308/3717308] -> “level1.gz” [1]
    2008-12-07 21:34:57 URL:http://bluetack4.snowmanuk.net/bluetack/bogon.gz [40809/40809] -> “bogon.gz” [1]
    21:56:08 OUTPUT: Match=AppleComputer,Inc Hits=1 Target=REPEAT SRC=192.168.1.8:53249 DST=17.112.152.32:2 Proto=TCP
    21:57:06 OUTPUT: Match=AppleComputer,Inc Hits=2 Target=REPEAT SRC=192.168.1.8:53249 DST=17.112.152.32:2 Proto=TCP
    21:59:16 OUTPUT: Match=S.N.C.F Hits=1 Target=REPEAT SRC=192.168.1.8:56833 DST=148.169.128.12:3 Proto=TCP
    21:59:23 OUTPUT: Match=S.N.C.F Hits=2 Target=REPEAT SRC=192.168.1.8:56833 DST=148.169.128.12:1 Proto=TCP
    22:09:04 OUTPUT: Match=AppleComputer,Inc Hits=3 Target=REPEAT SRC=192.168.1.8 DST=17.112.152.32 Proto=ICMP
    22:09:05 OUTPUT: Match=AppleComputer,Inc Hits=4 Target=REPEAT SRC=192.168.1.8 DST=17.112.152.32 Proto=ICMP
    22:09:06 OUTPUT: Match=AppleComputer,Inc Hits=5 Target=REPEAT SRC=192.168.1.8 DST=17.112.152.32 Proto=ICMP

    # ping http://www.google.com
    PING google.navigation.opendns.com (208.69.34.231) 56(84) bytes of data.
    64 bytes from google.navigation.opendns.com (208.69.34.231): icmp_seq=1 ttl=49 time=15.6 ms
    64 bytes from google.navigation.opendns.com (208.69.34.231): icmp_seq=2 ttl=49 time=15.1 ms
    64 bytes from google.navigation.opendns.com (208.69.34.231): icmp_seq=3 ttl=49 time=14.8 ms
    64 bytes from google.navigation.opendns.com (208.69.34.231): icmp_seq=4 ttl=49 time=14.9 ms

    # ping http://www.apple.com
    PING http://www.apple.com.akadns.net (17.112.152.32) 56(84) bytes of data.
    From Slug.local (192.168.1.8) icmp_seq=1 Destination Port Unreachable
    From Slug.local (192.168.1.8) icmp_seq=2 Destination Port Unreachable
    ^C

    Swap space ???
    # free
    total used free shared buffers cached
    Mem: 29516 28228 1288 0 1076 10188
    -/+ buffers/cache: 16964 12552
    Swap: 248968 28704 220264

    I haven’t found any problems yet.

    Posted 08 Dec 2008 at 6:03 am
  7. chewearn wrote:

    hi Alan
    Thanks for commenting about your test.

    I was working on the earlier arm version (as linked by uljanow) and it did not work. I guess I should now work with the updated version instead.

    However, a big problem remains: the lack of memory space when the largest blocklist is enabled. As soon as the memory started to swap, everything slowed to a crawl. I can’t see any alternative except to hack a fatslug.

    Posted 08 Dec 2008 at 8:20 am
  8. Alan wrote:

    Hi,
    I have been running it for a couple of days now. using debian sid on my NSLU2, so there is no need for the netlink compiling.
    I run rtorrent, mpd, mt-daapd, afp, and occasionally mplayer for BBC radio. I have 256MB of swap of which 28MB is used – but not heavily swapped, except when starting ipblock.

    CPU[|||||||||||||||||||||||||| 51.5%] Tasks: 37 total, 1 running
    Mem[||||||||||||||||||||||||||||||||||||||||||18/28MB] Load average: 2.68 2.22 1.40
    Swp[|||||| 27/243MB] Uptime: 20:25:33

    PID USER PRI NI VIRT RES SHR S CPU% MEM% TIME+ Command
    1700 mt-daapd 20 0 54332 6500 1148 S 0.0 22.0 0:00.10 /usr/sbin/mt-daapd
    3131 mt-daapd 20 0 54332 6500 1148 S 0.0 22.0 0:38.20 /usr/sbin/mt-daapd
    1625 mt-daapd 20 0 54332 6500 1148 S 0.0 22.0 1:25.03 /usr/sbin/mt-daapd
    3129 alan 20 0 28452 6076 4304 D 27.5 20.6 1:28.75 rtorrent
    3113 mpd 20 0 44832 2544 1232 S 0.0 8.6 0:00.17 /usr/bin/mpd /etc/mpd.conf
    3114 mpd 20 0 44832 2544 1232 S 0.0 8.6 0:00.00 /usr/bin/mpd /etc/mpd.conf
    3117 mpd 20 0 44832 2544 1232 S 0.0 8.6 0:00.01 /usr/bin/mpd /etc/mpd.conf
    3107 mpd 20 0 44832 2544 1232 S 0.0 8.6 0:00.63 /usr/bin/mpd /etc/mpd.conf
    3000 root 15 -5 22436 2248 792 S 0.0 7.6 0:00.00 iplist –daemon -q -f /tmp/ipblock.log -l match
    3001 root 15 -5 22436 2248 792 S 0.0 7.6 0:00.06 iplist –daemon -q -f /tmp/ipblock.log -l match
    3064 root 15 -5 22436 2248 792 S 0.0 7.6 0:00.40 iplist –daemon -q -f /tmp/ipblock.log -l match
    2998 root 15 -5 22436 2248 792 S 0.0 7.6 1:01.16 iplist –daemon -q -f /tmp/ipblock.log -l match
    3118 alan 20 0 16344 1244 1052 S 0.0 4.2 0:14.98 /usr/sbin/afpd -U uams_dhx.so,uams_clrtxt.so,uams_randnum
    3149 alan 20 0 2896 1168 924 R 5.4 4.0 0:05.71 htop
    2133 alan 20 0 3504 908 684 S 0.0 3.1 0:00.32 /bin/bash
    2829 alan 20 0 3488 872 640 S 0.0 3.0 0:00.30 -bash
    3119 root 20 0 9020 808 724 S 0.0 2.7 0:02.39 /usr/sbin/cnid_dbd /lib/afpd/alan/.AppleDB 4 2
    2853 root 20 0 2984 792 576 S 0.0 2.7 0:00.52 -bash

    as you can see mpd & mt-daapd take more resources.
    I can simutaneously have Itunes playing the mt-daapd, and AFP serving an avi to mplayer on a Mac. and Downloading torrents, without any drop-outs. Armel rocks – I compiled everything with -mcpu=xscale

    Ipblock -l

    Queue Policy (mark) Ranges Target (mark) File
    255 REPEAT (65534) 200776 REPEAT (65535) /var/cache/iplist/pipfilter.dat.gz
    REPEAT (65535) /var/cache/iplist/level1.gz
    REPEAT (65535) /var/cache/iplist/level2.gz
    REPEAT (65535) /var/cache/iplist/level3.gz
    REPEAT (65535) /var/cache/iplist/tbg_primarythreats.gz
    REPEAT (65535) /var/cache/iplist/nipfilter.dat.gz
    REPEAT (65535) /var/cache/iplist/bogon.gz
    REPEAT (65535) /var/cache/iplist/pipfilter.dat.gz
    REPEAT (65535) /var/cache/iplist/level1.gz
    REPEAT (65535) /var/cache/iplist/level2.gz
    REPEAT (65535) /var/cache/iplist/level3.gz
    REPEAT (65535) /var/cache/iplist/tbg_primarythreats.gz
    REPEAT (65535) /var/cache/iplist/nipfilter.dat.gz
    REPEAT (65535) /var/cache/iplist/bogon.gz

    Chain BLOCK_MATCH (2 references)
    pkts bytes target prot opt in out source destination
    57 2948 REJECT tcp — * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
    0 0 REJECT all — * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

    Last Updated Tue Dec 9 01:47:02 CET 2008
    Last log messages (/tmp/ipblock.log):
    23:06:03 OUTPUT: Match=Giga-H Hits=1 Target=REPEAT SRC=192.168.1.8:55568 DST=193.37.152.226:65535 Proto=TCP
    23:06:22 INPUT: Match=UNITED Hits=1 Target=REPEAT SRC=130.37.30.156:64000 DST=192.168.1.8:0 Proto=TCP
    23:06:22 INPUT: Match=UNITED Hits=2 Target=REPEAT SRC=130.37.30.156:64000 DST=192.168.1.8:0 Proto=TCP
    23:08:11 INPUT: Match=IPpoo Hits=1 Target=REPEAT SRC=86.142.17.27:54784 DST=192.168.1.8:0 Proto=TCP
    23:08:12 INPUT: Match=IPpoo Hits=2 Target=REPEAT SRC=86.142.17.27:54784 DST=192.168.1.8:0 Proto=TCP
    23:08:12 INPUT: Match=IPpoo Hits=3 Target=REPEAT SRC=86.142.17.27:54784 DST=192.168.1.8:0 Proto=TCP
    23:08:36 INPUT: Match=TPNET, Hits=16 Target=REPEAT SRC=83.18.100.98:52736 DST=192.168.1.8:0 Proto=TCP
    23:08:37 INPUT: Match=TPNET, Hits=17 Target=REPEAT SRC=83.18.100.98:52736 DST=192.168.1.8:0 Proto=TCP
    23:08:43 INPUT: Match=TPNET, Hits=18 Target=REPEAT SRC=83.18.100.98:52736 DST=192.168.1.8:0 Proto=TCP
    23:14:53 OUTPUT: Match=Royal Hits=1 Target=REPEAT SRC=192.168.1.8:44032 DST=130.243.189.100:0 Proto=TCP

    I had to change the ipblock config :
    IPTABLES_CHAIN_ALLOW=”OUTPUT INPUT”
    to whitelist the input a well as the input.

    ipblock also loads a lot quicker if the blocklists are converted with ipblock -c before starting.

    Alan

    Posted 10 Dec 2008 at 6:32 am
  9. chewearn wrote:

    hi Alan,
    Thanks for the update. I have been using Debian Etch. Apart from the memory overload, I have been seeing some problems on the UI.

    I guess upgrade to Lenny or Sid should solve most of these problems.

    Posted 10 Dec 2008 at 12:53 pm
  10. johnny wrote:

    Thanks for good post

    Posted 01 Jan 2009 at 4:45 am

Post a Comment

Your email is never published nor shared. Required fields are marked *