I've had a similar error. Actually, there are a number of errors, the more patchlets you try to add the more that can show up. This is how I fix some of them, in detail. If it helps, great, if not, then at least maybe someone else who is having similar problems can fix those. I've been building kernels with Netfilter modifications for quite some time now, on two seperate machines, and this only recenly started happening where as before they were applying clean, so I tend to think it's not something I've done but prehaps changes to POM. These are the patchlets I use from POM:
comment IPV4OPTSSTRIP NETMAP connlimit expire fuzzy iprange ipv4options nth psd quota random set time IPMARK ROUTE TARPIT XOR connrate geoip ipp2p rsh
When adding patches, some of the patchlets always come up with a certain error. I've noticed this thru the better of the 2.6.16.1-16 kernels stretch. The error looks like this:
Testing iprange... not applied
The iprange patch:
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Status: Works
This patch makes possible to match source/destination IP
addresses against inclusive IP address ranges.
Examples:
iptables -A FORWARD -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT
iptables -A FORWARD -m iprange --dst-range 10.0.0.0-10.255.255.255 -j ACCEPT
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
unable to find ladd slot in src /tmp/pom-13436/net/ipv4/netfilter/Makefile (./patchlets/iprange/linux-2.6/./net/ipv4/netfilter/Makefile.ladd)
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?]
Notce that last bit when I hit "y":
"unable to find ladd slot in src /tmp/pom-13436/net/ipv4/netfilter/Makefile
(./patchlets/iprange/linux-2.6/./net/ipv4/netfilter/Makefile.ladd)"
From what I can tell, what is happening here is POM, actually a perl script, is b0rking when trying to modify the appropriate Makefile. Namely, the one in linxu-version/net/ipv4/netfilter/Makefile.
(Note I only specify ipv4, I don't do ipv6, but I bet the same thing is happening there as well, and has the same solution)
But that directory is entirely wrong, the current dir is no where near there.
It is, at the moment:
/usr/src/patch-o-matic-ng-20060514/patchlets
Also notice not all patches have this error; about 1/3 of them do. This error can be fixed. If you're getting a different error, those can not be fixed as of yet, to my knowlege. By far though, this is the error that comes up more.
To fix it, when you come to a patch where you get the "can't find Makefile.ladd" message:
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?]
1). Choose "F" (yes I know it's not showing as an option), to (F)orce the patch.
Change dir to the "patchlets" subdir of the patch-o-matic source (I do this in two terminals, one terminal has the current directory set in the patchlets subdir of POM, the other has it set to the normal ./run extra POM patching directory. BTW, ./runme extra gives you the full shebang, no reason to do ./runme pending, base, etc.) Execute the
following command each time one of the patches fails in order to find the files that need to be added to the makefile:
2). Use the "find" command:
find (name of the patch that's giving trouble) -name Makefile.ladd
so, for "iprange", we'd do this (remember, in the "patchlets" subdirectory):
find iprange -name Makefile.ladd
and find would tell me this:
iprange/linux/net/ipv4/netfilter/Makefile.ladd
iprange/linux-2.6/net/ipv4/netfilter/Makefile.ladd
3). cat the *MOST RECENT* Makefile.ladd for your version IP (ipv4, here. Do not mix ipv4 and ipv6!). By "most recent", I mean look at the linux kernel version. Above we see just a plain "linux" and a "linux-2.6" showing in the paths. I use the "Makefile.ladd" from the "linux-2.6" one. Some patchlets will have something like "linux", "linux-2.6.6", "linux-2.6.10". In this example, I'd pick "linux-2.6.10", because it's the most recent available:
cat iprange/linux-2.6/net/ipv4/netfilter/Makefile.ladd
shows:
obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
those are the two files that must been made sure they are added to Netfilter's makefile in the kernel source tree.
4). Make note of all the files from all the
patches that bomb....
(Do NOT mix ipv4 and ipv6's!! It will bomb!)
These are the files that I cat'ed to find:
obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o
obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
obj-$(CONFIG_IP_NF_MATCH_IPRANGE) += ipt_iprange.o
obj-$(CONFIG_IP_NF_TARGET_MARK) += ipt_MARK.o
obj-$(CONFIG_IP_NF_TARGET_IPMARK) += ipt_IPMARK.o
obj-$(CONFIG_IP_NF_MATCH_TOS) += ipt_tos.o
obj-$(CONFIG_IP_NF_MATCH_FUZZY) += ipt_fuzzy.o
obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
obj-$(CONFIG_IP_NF_MATCH_QUOTA) += ipt_quota.o
obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o
obj-$(CONFIG_IP_NF_CONNTRACK_RATE) += ip_conntrack_rate.o
obj-$(CONFIG_IP_NF_MATCH_LIMIT) += ipt_limit.o
obj-$(CONFIG_IP_NF_MATCH_GEOIP) += ipt_geoip.o
You need to remove duplicates, if there are any.
5). Next, add the missing lines (the obj-$(CONFIG_IP stuff) to the Makefile
at /usr/src/linux-2.6.16.16/net/ipv4/netfilter/Makefile, after the line in the file that reads "# matches" and then apply my custom patches. Note you can apply the patches (which fix XOR and some other stuff) even if you don't want XOR to build. Whether or not it builds is stated in your .config. Just unset it there, if you don't want it):
6). Patch time:
From the /usr/src/linux -
netfilter-2.6.x-kern.patch.gz : needed
patching file net/ipv4/netfilter/ipt_XOR.c
patching file net/ipv4/ip_output.c
IPV4OPTSSTRIP-2.6-skb-writable.patch.gz : needed
patching file net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c
Then from the /usr/src/iptables-1.3.5-20060514 directory:
geoip-path-fix.patch.gz : if you want to fix the path of the geoip database to something cleaner.
patching file extensions/libipt_geoip.c
Moves /var/geoip/geoip* to /var/db/geoip/geoip*, which will reside with:
/var/db/nscd in the /var/db directory, instead of making it's own dir (I hate that).
7). After all that, you can make oldconfig/menuconfig then compile your kernel and modules & install. Note you also need to compile iptables at this time too.
Build & install the iptables that goes with your new kernel & netfilter extensions.
8). Marvel at the fact that you've monkeyed with the kernel code and it still works.
Issue #2: The recent patch-o-matic-ng is missing ALOT of patches, which renders my firewall script broken, losing about 5 of the needed matches/targets. The last known good patch-o-matic-ng WITH all the patches is patch-o-matic-ng-20060424, not the current (as of this writing) patch-o-matic-ng-20060514.
The 20060424 can give you (working, with my patches applied, below):
comment IPV4OPTSSTRIP NETMAP connlimit expire fuzzy iprange ipv4options nth psd quota random set time IPMARK ROUTE TARPIT XOR connrate geoip ipp2p rsh
There may be others, but I don't use them. If I remember right, conntrack for RPC and the ACCOUNT/account ones did not compile and halted the kernel build due to the fact.
The patches: uudecode these, then patch -N -u -p0 < the.patch in the correct directory. You can add "--dry-run" to the patch util's parameters to have it do a test run and see if the patches will apply clean. They should, if you've used the same versions as here and done everything correctly.
Code:
begin 644 IPV4OPTSSTRIP-2.6-skb-writable.patch
M+2TM(&YE="]I<'8T+VYE=&9I;'1E<B]I<'1?25!6-$]05%-35%))4"YC+F]L
M9`DR,#`V+3`Q+3(S(#`S.C(Y.C(V+C`P,#`P,#`P,"`M,#4P,`HK*RL@;F5T
M+VEP=C0O;F5T9FEL=&5R+VEP=%])4%8T3U!44U-44DE0+F,),C`P-BTP,2TR
M,R`P,SHS,#HQ,2XP,#`P,#`P,#`@+3`U,#`*0$`@+3,P+#<@*S,P+#<@0$`*
M(`EU;G-I9VYE9"!C:&%R("IO<'1I<&@["B`):6YT(&P["B`)"BT):68@*"%S
M:V)?:7!?;6%K95]W<FET86)L92AP<VMB+"`H*G!S:V(I+3YL96XI*0HK"6EF
M("@A<VMB7VUA:V5?=W)I=&%B;&4H<'-K8BP@*"IP<VMB*2T^;&5N*2D*(`D)
D<F5T=7)N($Y&7T123U`["B`@"B`)<VMB(#T@*"IP<VMB*3L*
`
end
begin 644 netfilter-2.6.x-kern.patch
M+2TM(&YE="]I<'8T+VYE=&9I;'1E<B]I<'1?6$]2+F,N;W)I9PDR,#`V+3`Q
M+3`T(#$Y.C0W.C`P+C`P,#`P,#`P,"`M,#4P,`HK*RL@;F5T+VEP=C0O;F5T
M9FEL=&5R+VEP=%]83U(N8PDR,#`V+3`Q+3`T(#$Y.C4Q.C`Y+C`P,#`P,#`P
M,"`M,#4P,`I`0"`M,S0@*S,T($!`(&EP=%]X;W)?=&%R9V5T*'-T<G5C="!S
M:U]B=69F("HJ<'-K8BP@"BT):68@*"%S:V)?:7!?;6%K95]W<FET86)L92AP
M<VMB+"`H*G!S:V(I+3YL96XI*0HK"6EF("@A<VMB7VUA:V5?=W)I=&%B;&4H
M<'-K8BP@*"IP<VMB*2T^;&5N*2D*+2TM(&YE="]I<'8T+VEP7V]U='!U="YC
M+F]R:6<),C`P-BTP,2TP,B`R,CHR,3HQ,"XP,#`P,#`P,#`@+3`U,#`**RLK
M(&YE="]I<'8T+VEP7V]U='!U="YC"3(P,#8M,#$M,#0@,3DZ-3$Z,#DN,#`P
M,#`P,#`P("TP-3`P"D!`("TQ,SDX+#`@*S$S.3D@0$`@15A03U)47U-934)/
M3"AI<%]S96YD7V-H96-K*3L**T584$]25%]364U"3TPH<WES8W1L7VEP7V1E
,9F%U;'1?='1L*3L*
`
end
begin 644 geoip-path-fix.patch
M+2TM(&5X=&5N<VEO;G,O;&EB:7!T7V=E;VEP+F,N;W)I9PDR,#`V+3`Q+3`T
M(#$Y.C0W.C,T+C`P,#`P,#`P,"`M,#4P,`HK*RL@97AT96YS:6]N<R]L:6)I
M<'1?9V5O:7`N8PDR,#`V+3`Q+3`T(#(Q.C(V.C(P+C`P,#`P,#`P,"`M,#4P
M,`I`0"`M.#0L,B`K.#0L,B!`0"!G971?8V]U;G1R>5]S=6)N971S*'5?:6YT
M,39?="!C8RP@=5]I;G0S"BT@("!I9B`H*&EX9F0@/2!F;W!E;B@B+W9A<B]G
M96]I<"]G96]I<&1B+FED>"(L(")R(BDI(#T]($Y53$PI('L*+2`@("`@("`@
M('!E<G)O<B@B+W9A<B]G96]I<"]G96]I<&1B+FED>"(I.PHK("`@:68@*"AI
M>&9D(#T@9F]P96XH(B]V87(O9&(O9V5O:7`O9V5O:7!D8BYI9'@B+"`B<B(I
M*2`]/2!.54Q,*2!["BL@("`@("`@("!P97)R;W(H(B]V87(O9&(O9V5O:7`O
M9V5O:7!D8BYI9'@B*3L*0$`@+3DP("LY,"!`0"!G971?8V]U;G1R>5]S=6)N
M971S*'5?:6YT,39?="!C8RP@=5]I;G0S"BT@("!S=&%T*"(O=F%R+V=E;VEP
M+V=E;VEP9&(N:61X(BP@)F)U9BD["BL@("!S=&%T*"(O=F%R+V1B+V=E;VEP
M+V=E;VEP9&(N:61X(BP@)F)U9BD["D!`("TQ,#8L,B`K,3`V+#(@0$`@9V5T
M7V-O=6YT<GE?<W5B;F5T<RAU7VEN=#$V7W0@8V,L('5?:6YT,PHM("`@:68@
M*"AD8F9D(#T@9F]P96XH(B]V87(O9V5O:7`O9V5O:7!D8BYB:6XB+"`B<B(I
M*2`]/2!.54Q,*2!["BT@("`@("!P97)R;W(H(B]V87(O9V5O:7`O9V5O:7!D
M8BYB:6XB*3L**R`@(&EF("@H9&)F9"`](&9O<&5N*"(O=F%R+V1B+V=E;VEP
M+V=E;VEP9&(N8FEN(BP@(G(B*2D@/3T@3E5,3"D@>PHK("`@("`@<&5R<F]R
?*"(O=F%R+V1B+V=E;VEP+V=E;VEP9&(N8FEN(BD["@``
`
end
Disclaimer: These Work For Me- I'm not a Linux kernel or netfilter person, just a guy with too much time on his hands & no gf. They are against vanilla sources from kernel.org and netfilter.org. If you're using distro stuff it will almost certainly be different and probably not work (though it might).
