In order to build a m0n0wall image where all the features work as in
the official releases, various patches to the kernel and userland have to
be applied. Download these patches from http://m0n0.ch/wall/downloads/freebsd-4.11/patches.tgz
and extract them somewhere (the following commands assume that your
patches are in $MWPATCHDIR
).
This needs to be patched so it doesn't exit when it encounters an error while adding a rule. The most common example where this is not good at all is when you have a duplicate rule.
cd /usr/src patch < $MWPATCHDIR/user/ipf.c.patch cd sbin/ipf make install -s /usr/obj/usr/src/sbin/ipf/ipf $MWROOT/sbin
Since m0n0wall keeps everything in a memory file system for reliability, disk space is scarce. On the other hand, even the biggest disk can eventually become full with logs, so it's better to solve this problem in another way. m0n0wall uses circular logging, which means that the oldest log entries are overwritten by new ones when there's not enough space. The syslogd that comes with FreeBSD needs to be patched with clog (http://software.wwwi.com/syslogd/, modified to work with 4.11's syslogd) to support this kind of logging.
cd /usr/src patch < $MWPATCHDIR/user/syslogd.c.patch cd usr.sbin tar xfvz $MWPATCHDIR/user/clog-1.0.1.tar.gz cd syslogd make install -s /usr/obj/usr/src/usr.sbin/syslogd/syslogd $MWROOT/usr/sbin cd ../clog make obj && make install -s /usr/obj/usr/src/usr.sbin/clog/clog $MWROOT/usr/sbin
The /sbin/dhclient-script
that comes with
FreeBSD needs to be modified to write out DNS server information for
the PHP scripts to use, and also not to invoke the hooks upon
uninteresting events.
cd $MWROOT/sbin patch < $MWPATCHDIR/user/dhclient-script.patch rm dhclient-script.orig
Numerous patches to the FreeBSD kernel need to be applied for
m0n0wall to make everything work as desired; here's the list of changes
(paths relative to /usr/src/sys
):
conf/options
add new kernel config options for ipfilter state table size and to enable the forced MSS clamping feature (see below)
contrib/ipfilter/netinet/fil.c,
contrib/ipfilter/netinet/ip_compat.h,
contrib/ipfilter/netinet/ip_fil.h
moving includes around and change some #ifs to make it compile properly
contrib/ipfilter/netinet/ip_nat.c,
contrib/ipfilter/netinet/ip_nat.h,
contrib/ipfilter/netinet/mlfk_ipl.c
checksum calculation fixes by Fred Wright and forced MSS clamping feature patch by Manuel Kasper
contrib/ipfilter/netinet/ip_state.c
window scaling-related fixes by Fred Wright
i386/isa/clock.c
write back weekday properly to CMOS to avoid date/time reset on Soekris machines
kern/subr_diskslice.c
comment out a warning about raw partition size != slice size since we don't care and everybody uses different CF cards or hard drives
net/if_ethersubr.c
comment out a warning about dropping multicast packets when bridging
netgraph/ng_ppp.c
protocol-field compression fix by Fred Wright
netinet/ip_input.c
prevent packets from being passed through ipfilter twice when they come out of a dummynet pipe
netinet/ip_output.c
reverse ipfw/ipfilter processing order to be symmetric with the input side
netipsec/key.c, netipsec/key_var.h
new SA preferral patch by Fred Wright
pci/if_sis.c, pci/if_sisreg.h
improve handling of stopped sis devices where IRQ sharing is present (such as on the net4801); improved DP83815 short cable bug fixes by Fred Wright
i386/i386/identcpu.c
identify NS Geode CPUs properly (net4801, WRAP)
i386/i386/vm_machdep.c
add reset code for NS Geode (for keyboard controller-less WRAP)
dev/ata/ata-pci.c
add kernel option to disable probing of ATA slave devices (causes ~30 second hang on boot with WRAP)
dev/ata/ata-disk.c
patch ATA standby support to allow changes at runtime
modules/ipfw/Makefile
build with IPFIREWALL_DEFAULT_TO_ACCEPT
dev/wi/if_wi.c
add DELAY(1) in wi_cmd as a workaround for timeouts with some PRISM-based cards
pci/if_xl.c, pci/if_xlreg.h
add definitions for 3C920B-EMB-WNM
Apply the patches as follows:
cd /usr/src patch -p0 < $MWPATCHDIR/kernel/kernel-411.patch