Whole document tree


www.fifi.org
    Documentation
        Manpages
        GNU Info
        Debian document tree
        Whole document tree
    Trigance web page
    Public services
    User info
    Mailing lists
    Secure server
    Multilingual usage
 

Copyright (C) 2000-2012
Philippe Troin
<webmaster@fifi.org>.

Validate HTML
Validate CSS

    

Whole document tree

Netfilter Extensions HOWTO: Patch-O-Matic Next Previous Contents

2. Patch-O-Matic

2.1 What is Patch-O-Matic ?

iptables Makefile contains a functionality called `patch-o-matic' (or `p-o-m'). p-o-m guides you through the process of choosing/selecting the patches you want, and automatically patch the kernel for you.

First, you should get the latest CVS tree, to be sure you are using the latest extensions. To do so, perform :

# cvs -d :pserver:cvs@pserver.samba.org:/cvsroot login
# cvs -z3 -d :pserver:cvs@pserver.samba.org:/cvsroot co netfilter

This will create the toplevel directory `netfilter/', and will check out all the files inside for you.

Make sure your kernel source is ready in `/usr/src/linux/'. If for whatever reason the kernel you want to patch is not in `/usr/src/linux/' then you can make the variable KERNEL_DIR point to the patch where your kernel is :

# export KERNEL_DIR=/the/path/linux

Make sure the dependencies are made already. If unsure :

# cd /usr/src/linux/
# make dep

Then you can go back to the netfilter directory, in the `userspace/' directory. You can now invoke p-o-m.

2.2 Running Patch-O-Matic

While in the `userspace/' directory, let's run p-o-m :

# make patch-o-matic

Welcome to Rusty's Patch-o-matic!

Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don't recommend applying them all!
-------------------------------------------------------

Already applied: 2.4.1 2.4.4
Testing... name_of_the_patch NOT APPLIED ( 2 missing files)
The name_of_the_patch patch:
   Here usually is the help text describing what
   the patch is for, what you can expect from it,
   and what you should not expect from it.
Do you want to apply this patch [N/y/t/f/q/?]

p-o-m will go through all the patches. If they are already applied, you will see so on the `Already applied:' first line. If they are not applied yet, it will display the name of the patch with some explanations. p-o-m will tell you what is going on : `NOT APPLIED ( n missing files)' simply means the patch has not been applied yet, whereas `NOT APPLIED ( n rejects out of n hunks)' generally means that :

  1. Either the patch cannot be applied cleanly...
  2. ...Or the patch has already been included in the kernel you are trying to patch.
Finally it will prompt you to decide whether or not to patch it.

  • Simply press enter if you do not want to apply it.
  • Type `y' if you want p-o-m to test the patch and apply it, if the attempt fail then it will tell you so and prompt you again for confirmation. If not, the patch will be applied, and you will see the name of the patch on the `Already Applied' line.
  • Type `t' if you just want to test if the patch would apply normally.
  • Type `f' if you want to force p-o-m to apply the patch.
  • Finally type `q' if you want to quit p-o-m.

A rule of thumb is to read carefully the little explanation text of each patch before actually applying it. As there are currently a LOT of official patches for patch-o-matic (and probably more unofficial ones), it is not recommended to apply them all ! You should really consider applying only the ones you need, even if it means recompiling netfilter when you need more patches.

A new form of patch-o-matic has been created, that will only present you with the patches that are known to apply cleanly, or at least that are known to not break every other patches. To invoke it, simply run :

# make most-of-pom

It works exactly the same way as patch-o-matic as far as the interaction and the patching is concerned. You will simply avoid using `developer-only' patches.

If you want to play around with "newnat", (if for example you need the H323 conntrack/NAT helper) you need to do as follows :

# cd /path/to/netfilter/userspace/patch-o-matic
# ./runme newnat

It will guide you through all the submitted/pending patches, then through the patches related to newnat.

2.3 So what's next ?

Once you have applied all the patches you wished to apply, the next step is recompile your kernel and install it. This HOWTO will not explain how to do this. Instead, you can read the Linux Kernel HOWTO.

While configuring your kernel, you will see new options in ``Networking Options -> Netfilter Configuration''. Choose the options you need, recompile & install your new kernel.

Once your new kernel is installed, you can go ahead and compile and install the ``iptables'' package, from the `userspace/' directory as follows :

# make all install

That's it ! Your new shiny iptables package is installed ! Now it's time to use these brand new functionalities.

Next Previous Contents