Netfilter developers distribute a set of patches that they package so that it can be used by their `patch-o-matic' (or `p-o-m') system. p-o-m is a script that guides you through the process of choosing/selecting the patches you want to apply, and automatically patch the kernel for you.
First, you should get the latest CVS tree, to be sure that you are using the latest extensions. To do so, perform :
# cvs -d :pserver:[email protected]:/cvspublic login
(When it asks you for a password type `cvs').
# cvs -d :pserver:[email protected]:/cvspublic co netfilter/userspace netfilter/patch-o-matic
This will create the toplevel directory `netfilter/', and will check out all the files inside for you :
# ls -l netfilter/
total 3
drwxr-xr-x 2 root root 160 Nov 7 14:48 CVS/
drwxr-xr-x 13 root root 488 Nov 7 14:54 patch-o-matic/
drwxr-xr-x 9 root root 864 Nov 7 14:48 userspace/
Make sure your kernel source is ready in `/usr/src/linux/'. If for whatever reason the kernel you want to patch is not in `/usr/src/linux/' then you can make the variable KERNEL_DIR point to the patch where your kernel is :
# export KERNEL_DIR=/the/path/linux
Make sure the dependencies are made already. If unsure :
# cd /usr/src/linux/
# make dep
Then you can go back to the netfilter directory, in the `patch-o-matic/' directory. You can now invoke p-o-m.
While in the `patch-o-matic/' directory, let's run p-o-m :
# ./runme extra
Welcome to Rusty's Patch-o-matic!
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don't recommend applying them all!
-------------------------------------------------------
Already applied: 2.4.1 2.4.4
Testing... name_of_the_patch NOT APPLIED ( 2 missing files)
The name_of_the_patch patch:
Here usually is the help text describing what
the patch is for, what you can expect from it,
and what you should not expect from it.
Do you want to apply this patch [N/y/t/f/q/?]
p-o-m will go through most of the patches. If they are already applied, you will see so on the `Already applied:' first line. If they are not applied yet, it will display the name of the patch with some explanations. p-o-m will tell you what is going on : `NOT APPLIED ( n missing files)' simply means the patch has not been applied yet, whereas `NOT APPLIED ( n rejects out of n hunks)' generally means that :
Finally it will prompt you to decide whether or not to patch it.
A rule of thumb is to read carefully the little explanation text of each patch before actually applying it. As there are currently a LOT of official patches for patch-o-matic (and probably more unofficial ones), it is not recommended to apply them all ! You should really consider applying only the ones you need, even if it means recompiling netfilter when you need more patches later on.
Patch-o-matic in fact, is mainly the `runme' shell script. If you run it without arguments, it will display its help message :
Usage: ./runme [--batch] [--reverse] [--exclude suite/patch-file ...] suite|suite/patch-file
--batch batch mode, automatically applying patches
--reverse back out the selected patches
--exclude excludes the named patches
The patches are contained in `patch-o-matic/pending/', `patch-o-matic/base', etc.. Here, `pending' and `base' are two suite names. ls the `patch-o-matic' directory to see all the suites. Example of `runme' commands :
./runme --batch pending
./runme --batch userspace/ipt_REJECT-fake-source.patch
The first command will attempt to apply all the patches from submitted suite, then the pending suite (we explain further why two suites). The second command will only apply the patch `ipt_REJECT-fake-source.patch' from the userspace suite.
The most relevant patches `suites' or repositories are (in their order or application) :
When you instruct `./runme' to apply patches from the `extra/' patch repository it will first present you with the patches from the `submitted/', `pending/', and `base/' directories. Each suite, maintain a file named `SUITE' that instruct p-o-m of the order in which it should attempt to apply the patches. For example, what I explained above is written in the `userspace/' repository's `SUITE' file :
# cat userspace/SUITE
submitted pending base extra userspace
Once you have applied all the patches you wished to apply, the next step is recompile your kernel and install it. This HOWTO will not explain how to do this. Instead, you can read the Linux Kernel HOWTO.
While configuring your kernel, you will see new options in ``Networking Options -> Netfilter Configuration''. Choose the options you need, recompile & install your new kernel.
Once your new kernel is installed, you can go ahead and compile and install the ``iptables'' package, from the `userspace/' directory as follows :
# make && make install
That's it ! Your new shiny iptables package is installed ! Now it's time to use these brand new functionalities.