关于给内核打补丁（如加入ipp2p模块）的注意事项

最近在探讨打ipp2p补丁时发现的问题，有一些参考的帖子，都是用的05年的补丁，基本的步骤是一样的。

首先，补丁不要去下最新的，新的补丁未必有你需要的东西。

先看一下我的目录结构吧：

代码:

debian:/usr/src# ls -l total 34612 lrwxrwxrwx 1 root src 14 2006-11-29 10:06 iptables -> iptables-1.3.6 drwxr-xr-x 6 500 users 4096 2006-09-29 00:45 iptables-1.3.6 -rw-r--r-- 1 root src 185438 2006-09-29 00:45 iptables-1.3.6.tar.bz2 drwxr-xr-x 18 root root 4096 2006-09-07 09:10 kernel-source-2.6.8 -rw-r--r-- 1 root root 34880682 2006-09-07 09:12 kernel-source-2.6.8.tar.bz2 lrwxrwxrwx 1 root src 19 2006-11-29 10:04 linux -> kernel-source-2.6.8 drwxr-xr-x 5 5500 5100 4096 2006-07-02 05:55 patch-o-matic-ng-20060701 -rw-r--r-- 1 root src 162678 2006-11-29 10:13 patch-o-matic-ng-20060701.tar.bz2 -rw-r--r-- 1 root src 142287 2006-11-29 10:03 patch-o-matic-ng-20060808.tar.bz2

在这里我使用的是20060701的补丁，用20060808的补丁发现没有ipp2p的模块。

至于补丁中都包含了什么模块，可以在解开补丁包的patchlets中查看，如：

代码:

debian:/usr/src/patch-o-matic-ng-20060701/patchlets# ls config ipv4options rsh connlimit IPV4OPTSSTRIP rtsp-conntrack conntrack_nonat layer2-hooks set directx8-conntrack-nat mms-conntrack-nat sip-conntrack-nat eggdrop-conntrack msnp-conntrack-nat talk-conntrack-nat IPMARK quake3-conntrack-nat TARPIT ipp2p ROUTE time iprange rpc u32

以上一个目录，对应一个模块。

之后打补丁了。这里没有用extra，而是只把我所需要的模块选上了，connlimit ipp2p iprange time，我只选了这四个，如下：

代码:

debian:/usr/src/patch-o-matic-ng-20060701# KERNEL_DIR=/usr/src/linux IPTABLES_DIR=/usr/src/iptables ./runme connlimit ipp2p iprange time Loading patchlet definitions....................... done Welcome to Patch-o-matic ($Revision: 6577 $)! Kernel: 2.6.8, /usr/src/linux Iptables: 1.3.6, /usr/src/iptables Each patch is a new feature: many have minimal impact, some do not. Almost every one has bugs, so don't apply what you don't need! ------------------------------------------------------- Already applied: Testing connlimit... not applied The connlimit patch: Author: Gerd Knorr <kraxel@bytesex.org> Status: ItWorksForMe[tm] This adds an iptables match which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block). Examples: # allow 2 telnet connections per client host iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT # you can also match the other way around: iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT # limit the nr of parallel http requests to 16 per class C sized # network (24 bit netmask) iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \ --connlimit-mask 24 -j REJECT ----------------------------------------------------------------- Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y Welcome to Patch-o-matic ($Revision: 6577 $)! Kernel: 2.6.8, /usr/src/linux Iptables: 1.3.6, /usr/src/iptables Each patch is a new feature: many have minimal impact, some do not. Almost every one has bugs, so don't apply what you don't need! ------------------------------------------------------- Already applied: connlimit Testing ipp2p... not applied The ipp2p patch: Author: Eicke Friedrich <ipp2p@ipp2p.org> Status: Stable This option makes possible to match some P2P packets therefore helps controlling such traffic. Dropping all matches prohibits P2P networks. Combined with conntrack, CONNMARK and a packet scheduler it can be used for accounting or shaping of P2P traffic. Examples: iptables -A FORWARD -m ipp2p --edk --kazaa --bit -j DROP iptables -A FORWARD -p tcp -m ipp2p --ares -j DROP iptables -A FORWARD -p udp -m ipp2p --kazaa -j DROP ----------------------------------------------------------------- Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y Welcome to Patch-o-matic ($Revision: 6577 $)! Kernel: 2.6.8, /usr/src/linux Iptables: 1.3.6, /usr/src/iptables Each patch is a new feature: many have minimal impact, some do not. Almost every one has bugs, so don't apply what you don't need! ------------------------------------------------------- Already applied: connlimit ipp2p Testing iprange... applied Welcome to Patch-o-matic ($Revision: 6577 $)! Kernel: 2.6.8, /usr/src/linux Iptables: 1.3.6, /usr/src/iptables Each patch is a new feature: many have minimal impact, some do not. Almost every one has bugs, so don't apply what you don't need! ------------------------------------------------------- Already applied: connlimit ipp2p iprange Testing time... not applied The time patch: Author: Fabrice MARIE <fabrice@netfilter.org> Status: Works within it's limitations This option adds CONFIG_IP_NF_MATCH_TIME, which supplies a time match module. This match allows you to filter based on the packet arrival time/date (arrival time/date at the machine which the netfilter is running on) or departure time/date (for locally generated packets). Supported options are: [ --timestart value ] Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00). [ --timestop value ] Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59). [ --days listofdays ] Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday) [ --datestart date ] Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]] h,m,s start from 0 ; default to 1970) [ --datestop date ] Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]] h,m,s start from 0 ; default to 2037) Example: -A INPUT -m time --timestart 8:00 --timestop 18:00 --days Mon,Tue,Wed,Thu,Fri will match packets that have an arrival timestamp in the range 8:00->18:00 from Monday to Friday. -A OUTPUT -m time --timestart 8:00 --timestop 18:00 --Days Mon --date-stop 2010 will match the packets (locally generated) that have a departure timestamp in the range 8:00->18:00 on Monday only, until 2010 NOTE: the time match does not track changes in daylight savings time ----------------------------------------------------------------- Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y Excellent! Source trees are ready for compilation. Recompile the kernel p_w_picpath (if there are non-modular netfilter modules). Recompile the netfilter kernel modules. Recompile the iptables binaries.

回答y就应用补丁了，看到最下面的信息，证明需要的补丁已经打上了。

后面的编译过程我就不做了。

转载于:https://blog.51cto.com/enchen/179421