Next Previous Contents

2. Patch-O-Matic

2.1 What is Patch-O-Matic ?

Netfilter developers distribute a set of patches that they package so that it can be used by their `patch-o-matic-ng' (or `p-o-m') system. p-o-m is a script that guides you through the process of choosing/selecting the patches you want to apply, and automatically patch the kernel for you.

First, you should get the latest SVN tree, to be sure that you are using the latest extensions. To do so, perform :

# mkdir netfilter_svn
# cd netfilter_svn
# svn co
# svn co

This will will check out the main iptables package and the whole patch-o-matic-ng repository:

# ls -l netfilter_svn/
total 3
drwxr-xr-x    9 root     root          864 Nov  7 14:48 iptables/
drwxr-xr-x   13 root     root          488 Nov  7 14:54 patch-o-matic-ng/

Make sure your kernel source is ready in `/usr/src/linux/'. If for whatever reason the kernel you want to patch is not in `/usr/src/linux/' then you can make the variable KERNEL_DIR point to the patch where your kernel is :

# export KERNEL_DIR=/the/path/linux

Make sure the dependencies are made already. If unsure :

# cd /usr/src/linux/
# make dep

Then you can go back to the netfilter directory, in the `patch-o-matic/' directory. You can now invoke p-o-m.

2.2 Running Patch-O-Matic

While in the `patch-o-matic-ng/' directory, let's run p-o-m :

# ./runme extra

Welcome to Patch-o-matic ($Revision: 3822 $)!


Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
Already applied: nf-log

Testing... not applied
The HOPLIMIT patch:
   Author: Maciej Soltysiak <>
   Status: Works for me.

   This allows the user to set the IPv6 Hop Limit value on a packet or
   to increment or decrement it by a given value.
   # ip6tables -t mangle -A OUTPUT -j HOPLIMIT --hl-inc 1
   # ip6tables -t mangle -A INPUT -j HOPLIMIT --hl-eq 64
   # ip6tables -t mangle -A OUTPUT -j HOPLIMIT --hl-dec 2
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] 

p-o-m will go through most of the patches. If they are already applied, you will see so on the `Already applied:' line. Otherwise it will prompt you to decide whether or not to patch it.

A rule of thumb is to read carefully the little explanation text of each patch before actually applying it. As there are currently a LOT of official patches for patch-o-matic (and probably more unofficial ones), it is not recommended to apply them all ! You should really consider applying only the ones you need, even if it means recompiling netfilter when you need more patches later on.

Patch-o-matic's `runme' is a nice Perl script. It optionally takes some command line arguments:

# ./runme --help
    ./runme [--batch] [--reverse] [--exclude suite/patch-dir ]

    --batch batch mode, automatically applying patches.

    --test  test mode, automatically test patches.

    --check check mode, automatically checks if patches are alreay applied.
            produces a logfile: rune.out-check

            back out the selected patches.

    --exclude suite/patch-dir
            excludes the named patch. can be used multiple times.

    --help  print a help message

    --man   print the whole manpage

Each patch has its own directory within the main directory `patch-o-matic-ng'. Each patch is attached to a suite of patches. The three existing suites (as of the date of update of this HOWTO) are:

You can instruct p-o-m to show you only patches attached to a particular suite:

./runme --batch pending

This command will show you and propose you to apply all the patches from pending suite. When you instruct `./runme' to apply patches from the `extra' patch repository it will first present you with the patches from the `pending', and `base' repositories.

2.3 So what's next ?

Once you have applied all the patches you wished to apply, the next step is recompile your kernel and install it. This HOWTO will not explain how to do this. Instead, you can read the Linux Kernel HOWTO.

While configuring your kernel, you will see new options in ``Networking Options -> Netfilter Configuration''. Choose the options you need, recompile & install your new kernel.

Once your new kernel is installed, you can go ahead and compile and install the ``iptables'' package, from the `iptables/' directory as follows :

# make && make install

That's it ! Your new shiny iptables package is installed ! Now it's time to use these brand new functionalities.

Next Previous Contents