1.5. Applying m0n0wall patches for FreeBSD

In order to build a m0n0wall image where all the features work as in the official releases, various patches to the kernel and userland have to be applied. Download these patches from http://m0n0.ch/wall/downloads/freebsd-4.11/patches.tgz and extract them somewhere (the following commands assume that your patches are in $MWPATCHDIR).

1.5.1. Userland patches

1.5.1.1. ipfilter: ipf.c

This needs to be patched so it doesn't exit when it encounters an error while adding a rule. The most common example where this is not good at all is when you have a duplicate rule.

cd /usr/src
patch < $MWPATCHDIR/user/ipf.c.patch
cd sbin/ipf
make
install -s /usr/obj/usr/src/sbin/ipf/ipf $MWROOT/sbin

1.5.1.2. syslogd circular logging support

Since m0n0wall keeps everything in a memory file system for reliability, disk space is scarce. On the other hand, even the biggest disk can eventually become full with logs, so it's better to solve this problem in another way. m0n0wall uses circular logging, which means that the oldest log entries are overwritten by new ones when there's not enough space. The syslogd that comes with FreeBSD needs to be patched with clog (http://software.wwwi.com/syslogd/, modified to work with 4.11's syslogd) to support this kind of logging.

cd /usr/src
patch < $MWPATCHDIR/user/syslogd.c.patch
cd usr.sbin
tar xfvz $MWPATCHDIR/user/clog-1.0.1.tar.gz
cd syslogd
make
install -s /usr/obj/usr/src/usr.sbin/syslogd/syslogd $MWROOT/usr/sbin
cd ../clog
make obj && make
install -s /usr/obj/usr/src/usr.sbin/clog/clog $MWROOT/usr/sbin

1.5.1.3. dhclient-script

The /sbin/dhclient-script that comes with FreeBSD needs to be modified to write out DNS server information for the PHP scripts to use, and also not to invoke the hooks upon uninteresting events.

cd $MWROOT/sbin
patch < $MWPATCHDIR/user/dhclient-script.patch
rm dhclient-script.orig

1.5.2. Kernel patches

Numerous patches to the FreeBSD kernel need to be applied for m0n0wall to make everything work as desired; here's the list of changes (paths relative to /usr/src/sys):

  • conf/options

    add new kernel config options for ipfilter state table size and to enable the forced MSS clamping feature (see below)

  • contrib/ipfilter/netinet/fil.c, contrib/ipfilter/netinet/ip_compat.h, contrib/ipfilter/netinet/ip_fil.h

    moving includes around and change some #ifs to make it compile properly

  • contrib/ipfilter/netinet/ip_nat.c, contrib/ipfilter/netinet/ip_nat.h, contrib/ipfilter/netinet/mlfk_ipl.c

    checksum calculation fixes by Fred Wright and forced MSS clamping feature patch by Manuel Kasper

  • contrib/ipfilter/netinet/ip_state.c

    window scaling-related fixes by Fred Wright

  • i386/isa/clock.c

    write back weekday properly to CMOS to avoid date/time reset on Soekris machines

  • kern/subr_diskslice.c

    comment out a warning about raw partition size != slice size since we don't care and everybody uses different CF cards or hard drives

  • net/if_ethersubr.c

    comment out a warning about dropping multicast packets when bridging

  • netgraph/ng_ppp.c

    protocol-field compression fix by Fred Wright

  • netinet/ip_input.c

    prevent packets from being passed through ipfilter twice when they come out of a dummynet pipe

  • netinet/ip_output.c

    reverse ipfw/ipfilter processing order to be symmetric with the input side

  • netipsec/key.c, netipsec/key_var.h

    new SA preferral patch by Fred Wright

  • pci/if_sis.c, pci/if_sisreg.h

    improve handling of stopped sis devices where IRQ sharing is present (such as on the net4801); improved DP83815 short cable bug fixes by Fred Wright

  • i386/i386/identcpu.c

    identify NS Geode CPUs properly (net4801, WRAP)

  • i386/i386/vm_machdep.c

    add reset code for NS Geode (for keyboard controller-less WRAP)

  • dev/ata/ata-pci.c

    add kernel option to disable probing of ATA slave devices (causes ~30 second hang on boot with WRAP)

  • dev/ata/ata-disk.c

    patch ATA standby support to allow changes at runtime

  • modules/ipfw/Makefile

    build with IPFIREWALL_DEFAULT_TO_ACCEPT

  • dev/wi/if_wi.c

    add DELAY(1) in wi_cmd as a workaround for timeouts with some PRISM-based cards

  • pci/if_xl.c, pci/if_xlreg.h

    add definitions for 3C920B-EMB-WNM

Apply the patches as follows:

cd /usr/src
patch -p0 < $MWPATCHDIR/kernel/kernel-411.patch