Connlimit Patch + Smoothwall

community.smoothwall.org • View topic – How do i patch the kernel in smoothwall express Degu III?.

First, i svn’d the tree for expresscore (i had to find/install an SVN client first)

cd /usr/src
svn co https://smoothwall.svn.sourceforge.net/svnroot/smoothwall/trunk expresscore

Next i “predownloaded” all of the sources.

cd /usr/src/expresscore/distrib/build
make predownload

This gets the download’s out of the way, and should make the build a little faster.

Next, i ran the standard build (from /usr/src/expresscore/distrib/build)


make build

This takes forever! I was running in a VM, it would probably be a little faster on actual dedicated hardware. but i got tired of hosing servers, so i decided to work in a VM (vmware worked excellent)
Once the build is finished, you can then apply your patches.
see

https://bugs.launchpad.net/ubuntu/+sour … +bug/60439

for information about how to apply the connlimit patch to a stock kernel.

Heres what i did, in a nutshell:
Things are slightly different for the Smoothie.. This is where i ran into the biggest hurdle. First i had to learn how to build sources on the smoothie, then i had to actually make use of said sources. It MIGHT be possible to implement these things before running the first “make build” but i didnt try it that way, so i’m not going to document it that way.

You’ve already got patch-o-matic, and iptables sources from the build, i found this out afterward, i could have saved myself some time if i’d know that ahead of time. So all you really need to download is the connlimit patch.

use wget, or some other means to get

http://people.netfilter.org/ole/pom/connlimit


connlimit is actually a tar.gz, just without the extension.

The next step is to get patch-o-matic in the right place, and unpack connlimit.

Patch-o-matic lives in the kernel-runtime source directory. You mgiht be able to find a more direct way to do this, but this is how i did it.

A quick rundown:
Both kernel-runtime, and iptables need to patch when “make” is executed, so you need to add the patch to the makefile.
A copy of patch-o-matic-ng needs to be in build/sources/iptables
Because i couldnt make it work any other way, i had to take the contents of patch-o-matic and put it in the iptables directory. so:


cp -r /usr/src/expresscore/distrib/build/sources/kernel-runtime/patch-o-matic-ng-(version)/* /usr/src/expresscore/distrib/build/sources/iptables

Then extract connlimit to patch-o-matic’s patchlets dir.


cp /path/to/where/you/saved/connlimit /usr/src/expresscore/distrib/build/sources/iptables/patchlets
cd /usr/src/expresscore/distrib/build/sources/iptables/patchlets
tar xvzf connlimit

then edit build/sources/iptables/Makefile
Somewhere around lime 24 you’ll find:


configure: $(DIR)/ patch

and below it you’ll see “@true”.
On the line before @true, add:


@./runme –batch connlimit

That should configure iptables such that it will build and add the connlimit patch when “make” is run.

Next, we need to modify the kernel makefile.
edit build/sources/Makefile.kernel
Around line 78 you’ll find


@(cd patch-o-matic-ng-$(PATCH_O_MATIC_VER)/patchlets; \
tar xvzf $(DOWNLOADS_DIR)/pom-ng-ipt_ACCOUNT-$(IPT_ACCOUNT_VER).tgz)

This unpacks a new copy of patch-o-matic every time you run make, so we need to add a line that will copy connlimit into this copy of patch-o-matic when make is run. So, after the above listed lines, add:


@(cp -r ../iptables/patchlets/connlimit ./patch-o-matic-ng-$(PATCH_O_MATIC_VER)/patchlets)

Also, you’ll find something like:


@(export KERNEL_DIR=$(KERNEL_DIR); \
export IPTABLES_DIR=$(IPTABLES_DIR); \
cd patch-o-matic-ng-$(PATCH_O_MATIC_VER); \
./runme –batch ACCOUNT; \
./runme –batch mms-conntrack-nat; \
./runme –batch directx8-conntrack-nat; \
./runme –batch msnp-conntrack-nat)

That’s where make applies all of the patches that the smoothwall team already applies.
so, let’s add in connlimit

@(export KERNEL_DIR=$(KERNEL_DIR); \
export IPTABLES_DIR=$(IPTABLES_DIR); \
cd patch-o-matic-ng-$(PATCH_O_MATIC_VER); \
./runme –batch ACCOUNT; \
./runme –batch connlimit; \
./runme –batch mms-conntrack-nat; \
./runme –batch directx8-conntrack-nat; \
./runme –batch msnp-conntrack-nat)

The more the merrier.
Now, let’s add connlimit as a module to the kernel config.
Edit build/sources/kernel.config-runtime-i386
find where the other NetFilter modules are listed, and add “CONFIG_IP_NF_MATCH_CONNLIMIT=m” to the list. For me this was on line 350.
That “should” do it for the modifications. Though it’s possible i missed something.. You’ll find out when you attemtp to build. :P

So, let’s build. it’s fun!
First, we chroot

chroot /usr/src/expresscore/distrib /bin/bash

Then we need to build iptables.

cd /build/sources/iptables
make

This will build iptables. When it gets to the patches, it may ask you for kernel, and iptables source paths. Enter the following:

Kernel:
/build/sources/kernel-runtime/linux
iptables:
/bould/sources/iptables/iptables-1.3.8

Then go to the kernel-runtime sources directory, and “make”


cd /build/sources/kernel-runtime
make

Whenever i ran this, it asked me if i wanted to add CONFIG_IP_NF_MATCH_CONNLIMIT to the kernel. I think it was due to a typ-o on m part. If it asks you, just enter ‘m’ for module, and it’ll go on its way.

Once that’s finished. “make” in build/sources/media


cd /build/sources/media
make

Once this completes, you can exit the chroot, just type “exit”
An ISO is built in /usr/src/expresscore/distrib/build/target/isos/smoothwall-express-3.0-sammy-i386.iso
Just burn that ISO to a CD, or (like i did to test it out) copy it to your host machine (if you’re running in a VM) and test the install using vmware.

(right click and save as to dl these)
diff:
http://www.undrground.org/geek/smoothwa … imit.patch
ISO:
http://www.undrground.org/geek/smoothwa … y-i386.iso

Bad Behavior has blocked 196 access attempts in the last 7 days.