Slashdot Mirror

Look what Google turned up... An Open Source (GNU) electronic voting initiative

Andrew is not just a coder, he is truly inspiring.
I have sat with him going over some of his code-
syntax colouring, that lego feeling, elegance.
He was the one who really taught me about programming in c;
how effortless it can be.

A simple idea: ccache
A deeper idea: genstruct

May he win many more awards!

Andrew is not just a coder, he is truly inspiring.
I have sat with him going over some of his code-
syntax colouring, that lego feeling, elegance.
He was the one who really taught me about programming in c;
how effortless it can be.

A simple idea: ccache
A deeper idea: genstruct

May he win many more awards!

If you'd read, you would understand that there is no domain controller at this site. Can you say "workgroup?" If you'd bothered to read, you would understand there's no NT server at this site.

And since you're so smart, you know that no domain controller means no group policies. No NT Server means no poledit.exe.

If you weren't so worried about flaming someone, you might even have understood that.

Some people don't have the money to throw away on a server that almost works most of the time and a "certification" that helps just about as much as a bag of flaming poop.

Ultimately, SAMBA can provide these services, though you'll need a tool from the Windows NT Server kit (which means that you won't be implementing group policies until you have a copy of NT Server--not that it's worth it).

Here's a link to find out more.

> Quartz anti-aliasing for Carbon apps

About time. Anti-aliased fonts have only been in Windows and X for several years.

> Unicode character palette

Uh. 'Kay. Windows 2000 has one of those.

> Mount ftp servers directly in Finder

Gosh! And Explorer can't do this... in what way? Oh, that's right - it can do this.

> iChat

Try MSN Messenger, Yahoo Messenger or Trillian.

Take your pick, really.

> Sherlock 3

Is nothing more than a glorified search engine front-end. Try Google or Teoma instead.

> Quartz Extreme

Putting "EXTREME" on the end of something makes it much more exciting, no? No.

> better interopability with windows networks

Samba. Yawn. Also: Windows has no interoperability issues with Windows networks.

> IPv6

And this is usable... how? Unless you have an internet2 connection, but you're probably enlightened and running a genuine *BSD at that point.

> Rendezvous
> Inkwell
> improved Address Book

Oh really, how very interesting. Not.

Anyway, in conclusion: I don't really like Microsoft or Apple, but neither is an "escape" from the other. They're both giant corporations that want to take your money - and they certainly aren't getting any of mine if I can help it.

Yes, I use Windows 2000 and FreeBSD. In my mind, Windows 2000 (pre service pack 3) was the last, greatest OS that Microsoft will ever produce. They've destroyed it all with all of Windows XP's Mickey-Mouse bullshit look of a toy operating system, the same crap that irritates me in OS/X - I'll migrate completely to FreeBSD as Windows 2000 fades into obsolesence.

Sounds nice. But what will California govt do when they will read the following kind of news?

"The Samba Team has a number of significant expenses so we have decided to setup a donation system to allow users of Samba to make contributions to help cover the cost of running samba.org and developing Samba"

If a govt wants to save money on open source, than it should act more. My proposal is very simple: the govt must create a budget for all open source packages it uses, and the budget must cover at least all dot-org operational cost. In exchange the govt may get a vote when a team would decide about what features should be in the next release.

The only question is not clear for me yet: in the open source world there are lots of alternatives. What packages will the govt use? For example, GNOME or KDE? I guess GPL is good for govts, but even within GNU there are equal alternatives. For example Emacs and Xemacs.

It's all referenced here: http://marc.merlins.org/linux/linux.conf.au_2001/D ay4/InsideTivo.html

It's also all pretty hairy stuff. Decendants of Tridge and co. have since released a 100MB card that plugs *directly* into the TiVo. It's pretty sweet, and doesn't require an EE degree to build.

However your in-laws would still have the problem of the PAL tuner and the guide data.

Tridge has a palkit that is supposed to help you replace the tuner.

http://tivo.samba.org/download/tridge/
(Lots of other goodies there too.)

But as for the guide data -- maybe you could beg him? Or have your in-laws deliver a pizza? (Old Samba joke.)

It looks like nothing helpful to any open source projects will be revealed. No server protocol or api for 'security reasons' and because it would allow them to
"clone" Windows, prompting Microsoft to stop investing in research and development on the operating system.

Yeah right, Microsoft just wants an excuse not to help out open source projects.

So it's pretty worthless to projects like Wine and Samba. I think this is just more of their Shared Source program.

Oh and btw, here's an HTML clickable link:
http://story.news.yahoo.com/news?tmpl=story&ncid=5 81&e=1&cid=581&u=/nm/20020805/tc_nm/microsoft_code _dc_17

A format, language, or protocol that has become a standard not because it has been approved by a standards organization but because it is widely used and recognized by the industry as being standard.

As far as I can tell from this site, Microsoft DID NOT create SMB. IBM did. They were the first ones to really use it, but they didn't actually create it.

ccache.samba.org

Take a look at ccache.

The "Low Speed Data" port on DSS recievers can be hooked up to a PC serial port for control. This guy has an interesting project, with downloadable source code for just that purpose. There's even scripts for pulling down the program guide from direcTV's website. Email him if you want.

I'm currently using a setup like this with another debian box running samba, so I have near unlimited storage space.

The combination of these should get you started.

However, certain factions, namely the Linux zealots eager to boycott and bitch and try to steal intellectual property and server code and processes they DON'T OWN are rocking the damn boat for the majority of Linux/non-Windows/non-Mac people who wouldn't mind a Blizzard game.

Yeah. We all know it's perfectly reasonable for Blizzard to sue bnetd.org, because reverse engineering Blizzard's Ultra Secret game protocol so that you don't have to be connected to the internet to play multiplayer Starcraft is so wrong that it should be a crime. I mean, only criminals would reverse engineer a protocol in order to get something they legally own to work the way they think it should.

Right?

Or insert a little time bombs into their computers, and when the office is on fire, appear with the water, save the day, become a hero, tell them that as a hero you know what's good for them — daily backups that is — and get a rise for saving not only the hard drives content, but also your coworkers.

But seriously, I don't have much time to read every +5 Insightful conspiration plan as well as the real solutions, so I'm risking being a little redundant.

Therefore, a lot of company property exists one place-- on individual hard drives.

You might of course try making them do daily backups, but they won't do it for sure, even if it means that every employee has to use 20 minutes every day. And they're right, like they're not changing the oil in the company's cars. They want to have computers which let them do their job.

The simplest solution would be to use Samba servers for users' files storage (I don't know if NFS work under Windows) &mdash which will act as a remote storage of everything your coworkers do, in a way totally transparent for them (just another directory on their computers to which they should save the important stuff) see Samba.org for details. If it's a small office, you just need a single file server for that so the hardware won't cost you much, the cost of software is $0 (or you may use Microsoft sollutions if you have lots of money for that — ask someone who uses NT file servers for more info about the MS way).

Now you have every important data on one machine. You can set up this machine to automatically sync the main directory with the redundant copy of everything in a second (or more) directory, so when someone deletes something important, it's still in the second copy, or third, etc.

But now you have a single critical point where everything important is located — that's to risky. You should have another machine, in another place, which will sync with the main file server every couple of hours, or every night using e.g. rsync. Now you have every data redundant in few places on two machines, and you can easily make manual backups on tapes, or CDRs, etc. from one of this machine.

You can use RAID 1 or 5 level arrays to be secured against hard disk failures, but it won't protect you if someone just deletes important files, so the periodical backups are still important with RAID arrays. Read the Software RAID HOWTO.

This is how I would do it, not counting on everyone making daily backups of their hard drives. I hope it will help you in securing your office data. The key ingredients: Samba and rsync.

You could also install rsync on the Windows machines (if there is rsync for Windows — I don't know) and set some Windows equivalent of cron job to update the backup version stored on the main server every hour and manually after clicking some "sync" icon, etc. Of course, There's More Than One Way To Do It.

Or insert a little time bombs into their computers, and when the office is on fire, appear with the water, save the day, become a hero, tell them that as a hero you know what's good for them — daily backups that is — and get a rise for saving not only the hard drives content, but also your coworkers.

But seriously, I don't have much time to read every +5 Insightful conspiration plan as well as the real solutions, so I'm risking being a little redundant.

Therefore, a lot of company property exists one place-- on individual hard drives.

You might of course try making them do daily backups, but they won't do it for sure, even if it means that every employee has to use 20 minutes every day. And they're right, like they're not changing the oil in the company's cars. They want to have computers which let them do their job.

The simplest solution would be to use Samba servers for users' files storage (I don't know if NFS work under Windows) &mdash which will act as a remote storage of everything your coworkers do, in a way totally transparent for them (just another directory on their computers to which they should save the important stuff) see Samba.org for details. If it's a small office, you just need a single file server for that so the hardware won't cost you much, the cost of software is $0 (or you may use Microsoft sollutions if you have lots of money for that — ask someone who uses NT file servers for more info about the MS way).

Now you have every important data on one machine. You can set up this machine to automatically sync the main directory with the redundant copy of everything in a second (or more) directory, so when someone deletes something important, it's still in the second copy, or third, etc.

But now you have a single critical point where everything important is located — that's to risky. You should have another machine, in another place, which will sync with the main file server every couple of hours, or every night using e.g. rsync. Now you have every data redundant in few places on two machines, and you can easily make manual backups on tapes, or CDRs, etc. from one of this machine.

You can use RAID 1 or 5 level arrays to be secured against hard disk failures, but it won't protect you if someone just deletes important files, so the periodical backups are still important with RAID arrays. Read the Software RAID HOWTO.

This is how I would do it, not counting on everyone making daily backups of their hard drives. I hope it will help you in securing your office data. The key ingredients: Samba and rsync.

You could also install rsync on the Windows machines (if there is rsync for Windows — I don't know) and set some Windows equivalent of cron job to update the backup version stored on the main server every hour and manually after clicking some "sync" icon, etc. Of course, There's More Than One Way To Do It.

check out distcc while you're at it. from Martin Pool.

ccache is pretty good, but not especially made for distributed compilation, but there is another project at samba.org:
distcc.

/elmartinos

That way, if someone has already built the file you're about to build, it's just a copy. Even better is if you have a continous build script caching results ahead of time for you.

It has worked pretty well for me so far.

Your best approach is to use Samba with Dave/Xsamba/Sharity or the SMB client in MacOS X 10.1 (?) on the Mac. Dave is for old, pre-MacOS X MacOS-es. Smbclient/smbmount on the Unix machines (which seems kind of slow). Or you could install OpenAFS which is a distributed filesystem with caching, crypto authentification (something like Kerberos), disconnected operation, etc. The sad part is that it wasn't ported on any of the BSDs yet, except Darwin/MacOS X. They are working on ports though and the server has been ported to FreeBSD and OpenBSD and the cache manager is in the works I believe. It works fine on Linux, Windows NT/2k, Solaris and a buch of other platforms.

this has probably already been said, but i'll say it anyway :) for my file sharing needs i have one machine between my router and internal firewall that i can ssh(openssh.org) to and use the rsync or scp utils to get data off of there. My internal mp3 machine is WinXP so i use smbmount(samba.org) from the DMZ to mount the shared DIR if i need to get to an Mp3 from the outside, same goes for any other win/linux machines on my internal network, all internal *nix machines run samba i've never had a problem or thought that this was inefficient, so it works for me.

Use the excellent rsync from Paul Makerras (of pppd fame) and Andrew Tridgell (samba team) in combination with OpenSSH and SSH for windows (both based on Tatu Ylonen's work; OpenSSH is maintained by and expert team including Markus Friedl and the recently monkey-cracked Dug Song, among others).

Set up your accounts to rsync-upload changes to whichever server is most secure when you log out, and use a cron job on that server to rsync-download to all the other servers nightly. You can make a tar backup part of the system also.

You will have to remember what's going on so you don't modify the same file differently on two different systems within 24 hours. If you want to overcome that shortcoming by making this work on an immediate sync basis rather than periodically, you'll need something like SGI's fam (included with recent linux distros) to trigger the updating processes.

You should already be 90% there if you have your ssh keys set up for passwordless login. Passwordless PKI logins are not significantly less secure than passworded logins in most situations (granted hostile system management can get you, but the BOFH can trojan your login anyway).

Lots of people use this technique to sync CVS trees over slow links. Rsync is very efficient for that kind of thing (large volume of files, low number of changed bytes).

An alternative, admittedly far fetched, idea would (imagination going beserk here) be p2p compilation.

ccache does pretty much that, except a little more "locally". I can imagine moving the cache that this thing uses out to some network (or something).

The real problem is network latency... it would be faster to compile an individual file than it would be to do a cache lookup/copy over the network.

Note the first words -- in version 2.5. If you have a different version of TiVo software (and lots of people do) it won't work. These shortcuts seem to change radically between software versions. Check a subset of the site referenced (the TiVo Hack FAQ) for more detail, and check software version and use at your own risk.

Yes we will. Please see this statement for details.

Jeremy Allison
Samba Team.

Nope, I thanked Richard Stallman for creating the GPL and the FSF for helping us with legal issues :-).

And I had to wear a suit :-) :-).

Here is proof :-) :-)

Jeremy Allison,
Samba Team.

I think that the CALs are required for Macs. At least if they are accessing Windows file shares, Inter/intra-net servers, etc.

You don't need a CAL to access a Windows Networking share from a computer running Mac OS X. All you need is SAMBA. Most of Microsoft's other server software runs on standard protocols such as HTTP, FTP, etc.

As for one hand not knowing what the other hand is doing, how could the management of Microsoft's "server section" not know?

Microsoft's SFU is targeted at the market currently using Unix, BSD and Linux. Practically all of the competition in that market use SAMBA to provide an interoperating SMB server( including the other Unix vendors not listed there ). How could Microsoft's Marketing and Management teams not be fully aware of what the competition is using?

My biggest nit pick is that I wish Portage had a better way of tracking changes between package versions. Sometimes the only difference between two versions is a few lines of a Gentoo-supplied script or config file. When you upgrade the package it forces you you to recompile the whole thing, even though the changes didn't do anything that would have affected compilation.

I don't know if there's a good Gentoo specific answer to your question, but you could speed up the n+1th c/c++ compile if you used ccache to compile your software. See ccache.samba.org.

ccache and its predecessor, compilercache, save me large quantities of time compiling things for work and play.

Samba is well known for its ability to act as an NT File/Print server, but it can also act as a primary domain controller. I believe that its PDC capability along with its Unix Password Sync functionality will allow you to accomplish most of what you want. Alternatively Samba also comes with windbindd which allows you to have your Linux and Solaris clients participate in an NT domain.

With Unix password sync, you are likely to be tempted to use NIS to distribute your passwords to your Linux and Solaris clients. While that would work just fine, NIS is known for its lack of security (search for my other post on this subject). If you use NIS initially (potentially to integrate with your existing NIS environment), consider shifting over to LDAP. Samba 2.2.x has had significant work done to provide integration with LDAP. Check the docs for the latest release and the samba mailing lists for details.

If you have an existing *nix net Samba would probably be the way to go.

Other benifits include a centralized "Share" so all your machines could easily mount the same drives, and centralized printing (You don't need samba for this unless your network prints from the windows network) Check it out, the new versions also support encyrpted passwords...

Just my 2cents

According to this post on Samba Technical, the Storage Network Industry Association will soon release version 1.0 of their SMB/CIFS documentation. Version 0.9 has been available for some time.

The SNIA doc was based on the earlier Leach/Naik IETF draft, but was updated based on input from many sources, including IBM, HP, the jCIFS Team, Microsoft, NetApp, the Samba Team, and others. The new SNIA doc does not have the licensing restrictions of the Microsoft release.

-- JLM

According to this post on Samba Technical, the Storage Network Industry Association will soon release version 1.0 of their SMB/CIFS documentation. Version 0.9 has been available for some time.

The SNIA doc was based on the earlier Leach/Naik IETF draft, but was updated based on input from many sources, including IBM, HP, the jCIFS Team, Microsoft, NetApp, the Samba Team, and others. The new SNIA doc does not have the licensing restrictions of the Microsoft release.

-- JLM

According to this post on Samba Technical, the Storage Network Industry Association will soon release version 1.0 of their SMB/CIFS documentation. Version 0.9 has been available for some time.

The SNIA doc was based on the earlier Leach/Naik IETF draft, but was updated based on input from many sources, including IBM, HP, the jCIFS Team, Microsoft, NetApp, the Samba Team, and others. The new SNIA doc does not have the licensing restrictions of the Microsoft release.

-- JLM

So, the very people who should be using it, users out in the field won't because they have been burned before. So, I was recently setting up IMAP/SSL and OWA/SSL access to our email server using stunnel as a backup, in case the VPN client doesn't feel like resolving names.

They seem to like this, so I was also looking at using one of the many variants on smb2www over SSL to provide backup access to our NT file servers, but I wanted to limit what servers and shares they could see this way from the outside. If these products can do that, then I might just recommend them for our company!

Balam

Frankly, from me, the problems of documentation with OS-level API's are hearsay - I just haven't done Windows programming at that deep a level. It has, however, been the standard complaint of WINE and SAMBA developers for years.

Really, if someone has trouble looking up documentation on MS APIs in MSDN, then they'd probably have trouble looking something up in Google, too. The problem is, more than likely, people completely unfamiliar with MS' APIs (Win32, COM, .NET, DirectX...), so they don't even know what they're looking for.

Your point that you have to know what you're looking for, no matter what toolkit you use a fair one, but I think you're overstating it. I've used the MSDN library for reference on Access programming for 3 years, and I can't say I'm that impressed. Most of the documents on there are written in marketing style, rather than being direct technical information. Reading "Did you know you can embed Excel documents into Access forms?" is not helpful when you want to know why something's not working.

I believe the problem is on sparc64 (and not sparc32). It's a trivial patch... just a few lines, so it's easy to have been overlooked.

Anyone using a SPARC/Linux machine that wants the latest and greatest should always turn to the
vger.samba.org sparc/linux kernel cvs tree. It's always got the latest stuff for both 64-bit and 32-bit SPARCs (and networking as well).

That said, 64-bit SPARC machines should run fine with the recent kernels. For the 32-bit SPARC machines, I can only comment on the sun4m and sun4c machine. Currently, the sun4m machines should boot and be ok... the sun4c machines do not.

sun4m machines: ss20, ss10, ss5, ss4, lx, classic, javastations
sun4c machines: ss2, ss1+, ss1, ipx, ipc, slc, elc

Both are reverse-engineered implementations of a proprietary server protocol.

These iptables rules (implemented on the gateway to the internet) stop the accesses the media player (version 7.x) makes on my system. Could someone check if they catch all accesses from Media Player 8 also?:

iptables -A FORWARD -p tcp -d codecs.microsoft.com -j REJECT --reject-with tcp-reset
iptables -A FORWARD -p tcp -d activex.microsoft.com -j REJECT --reject-with tcp-reset

In addition to the usual anti-spam methods:

• dorkslayers
• procmail
• Project SETS
• well configured MTA
• etc.

one can block IP addresses that attempt to spam on a regular basis. Tools such

• ipchains
• netfilter/iptables
• ipFilter

The following is a list of IP addresses that we have observed spamming on a regular basis. Blocking these sites won't solve your spam problem. On the other hand blocking common spam locations as part of an overall anti-spam system will help.

12.30.205.0/24 24.2.10.0/24 24.88.20.0/24 61.13.0.0/16 61.30.0.0/16 61.129.0.0/16 61.177.0.0/16 63.100.231.32/28 63.184.200.0/24 64.14.218.128/28 64.65.0.0/18 64.80.216.0/22 64.80.220.0/23 64.208.134.0/15 64.239.0.0/18 66.33.0.0/17 66.72.98.10/32 128.18.0.0/16 128.121.126.220/32 142.154.0.0/16 161.58.0.0/16 192.147.174.0/24 194.91.230.0/24 195.53.155.0/24 195.153.207.128/27 202.9.128.0/19 202.181.196.120/29 205.141.192.0/19 205.141.224.0/21 206.173.16.0/21 206.173.24.0/22 208.50.155.0/24 208.165.228.0/22 208.187.17.192/27 209.38.216.0/22 209.69.0.0/16 209.239.0.0/19 209.239.192.0/19 209.249.0.0/16 210.52.0.0/24 210.85.0.0/16 210.201.0.0/18 210.226.0.0/15 210.228.0.0/14 210.241.0.0/17 211.20.180.0/22 211.21.0.0/16 211.32.0.0/13 211.51.63.171/32 211.226.126.0/24 212.49.192.0/24 212.174.0.0/15 212.216.0.0/16 216.41.0.0/16 216.42.0.0/16 216.53.128.0/17 216.79.0.0/16 216.87.64.0/19 216.122.0.0/16 216.143.68.0/22 216.143.72.0/22 216.143.76.0/24 216.167.0.0/17 216.174.192.0/18 216.183.206.64/28

Sorry if your IP address is in the above list. If you are not a spammer then it could be that you happen to be using an ISP that tolerates spammers (or is unable/unwilling to block them), or you work for a company that spam, or you are near a poorly configured and poorly maintained site that is abused as an open relay.

In addition to the usual anti-spam methods:

• dorkslayers
• procmail
• Project SETS
• well configured MTA
• etc.

one can block IP addresses that attempt to spam on a regular basis. Tools such

• ipchains
• netfilter/iptables
• ipFilter

The following is a list of IP addresses that we have observed spamming on a regular basis. Blocking these sites won't solve your spam problem. On the other hand blocking common spam locations as part of an overall anti-spam system will help.

12.30.205.0/24 24.2.10.0/24 24.88.20.0/24 61.13.0.0/16 61.30.0.0/16 61.129.0.0/16 61.177.0.0/16 63.100.231.32/28 63.184.200.0/24 64.14.218.128/28 64.65.0.0/18 64.80.216.0/22 64.80.220.0/23 64.208.134.0/15 64.239.0.0/18 66.33.0.0/17 66.72.98.10/32 128.18.0.0/16 128.121.126.220/32 142.154.0.0/16 161.58.0.0/16 192.147.174.0/24 194.91.230.0/24 195.53.155.0/24 195.153.207.128/27 202.9.128.0/19 202.181.196.120/29 205.141.192.0/19 205.141.224.0/21 206.173.16.0/21 206.173.24.0/22 208.50.155.0/24 208.165.228.0/22 208.187.17.192/27 209.38.216.0/22 209.69.0.0/16 209.239.0.0/19 209.239.192.0/19 209.249.0.0/16 210.52.0.0/24 210.85.0.0/16 210.201.0.0/18 210.226.0.0/15 210.228.0.0/14 210.241.0.0/17 211.20.180.0/22 211.21.0.0/16 211.32.0.0/13 211.51.63.171/32 211.226.126.0/24 212.49.192.0/24 212.174.0.0/15 212.216.0.0/16 216.41.0.0/16 216.42.0.0/16 216.53.128.0/17 216.79.0.0/16 216.87.64.0/19 216.122.0.0/16 216.143.68.0/22 216.143.72.0/22 216.143.76.0/24 216.167.0.0/17 216.174.192.0/18 216.183.206.64/28

Sorry if your IP address is in the above list. If you are not a spammer then it could be that you happen to be using an ISP that tolerates spammers (or is unable/unwilling to block them), or you work for a company that spam, or you are near a poorly configured and poorly maintained site that is abused as an open relay.

What I do is use rsync to backup the company fileserver to a remote machine every 2 hours during business hours. Each update transfers about 10 to 20 MB over DSL/Cable. Then every evening I backup all the files that have changed over the last 24 hours into a seperate dated directory. The first dated backup consisted of the entire server (6 gb) and all the subsiquent backups are about 50 MB a day zipped.

So I have both a snapshot of the current status of the server with 2 hours accuracy and the ability to roll back the server to any point with 24 hours accuracy.

The best part is the company is paying for my Cable connection at home to do this.

such as the Goldmine licensing software that's designed to prevent more than X number of people using their software.

Get iptables for Linux, run make patch-o-matic, and install this [optional] target:


TTL - This target is used to modify the time to live field in the IP header. It is only valid in the mangle table.

--ttl-set ttl Set the TTL to the given value.

--ttl-dec ttl Decrement the TTL by the given value.

--ttl-inc ttl Increment the TTL by the given value.

He apparently did it by IP address.
But there's another way:

owner
This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match.

--uid-owner userid
Matches if the packet was created by a process with the given effective user id.

--gid-owner groupid
Matches if the packet was created by a process with the given effective group id.

--pid-owner processid
Matches if the packet was created by a process with the given process id.

--sid-owner sessionid
Matches if the packet was created by a process in the given session group.
And with Iptables 1.2.5 you can even establish quotas per user.

Besides standard iptables functions, you can easily patch your kernel and add extra features.
Just download iptables, uncompress it, and run 'make patch-o-matic', provided you have a source tree in /usr/src/linux. Then you can choose wich patches to apply. The ones I'm using are:

The NETMAP patch:
Author: Svenning Soerensen
Status: Experimental

This adds CONFIG_IP_NF_TARGET_NETMAP option, which provides a target for the nat table. It creates a static 1:1 mapping of the network address, while keeping host addresses intact. It can be applied to the PREROUTING chain to alter the destination of incoming connections, to the POSTROUTING chain to alter the source of outgoing connections, or both (with separate rules).


Examples:

iptables -t nat -A PREROUTING -d 1.2.3.0/24 -j NETMAP --to 5.6.7.0/24
iptables -t nat -A POSTROUTING -s 5.6.7.0/24 -j NETMAP --to 1.2.3.0/24

---

The TTL patch:
Author: Harald Welte
Status: Stable, needs new checksum handling
This adds CONFIG_IP_NF_TARGET_TTL option, which enables the user to set the TTL value of an IP packet or to increment / decrement it by a given value.

---

The iplimit patch:
Author: Gerd Knorr
Status: ItWorksForMe[tm]

This adds CONFIG_IP_NF_MATCH_IPLIMIT match allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).

Examples:

# allow 2 telnet connections per client host iptables -p tcp --syn --dport 23 -m iplimit --iplimit-above 2 -j REJECT

# you can also match the other way around: iptables -p tcp --syn --dport 23 -m iplimit ! --iplimit-above 2 -j ACCEPT

# limit the nr of parallel http requests to 16 per class C sized # network (24 bit netmask) iptables -p tcp --syn --dport 80 -m iplimit --iplimit-above 16 --iplimit-mask 24 -j REJECT

---

The random patch:
Author: Fabrice MARIE
Status: Works For Me.

This option adds CONFIG_IP_NF_MATCH_RANDOM, which allow you to match packets randomly following a given probability.

Suppported options are:

[--average] percent will match randomly packets with a probability of 'percent' default is 50%

---

The string patch:
Author: Emmanuel Roger
Status: Working, not with kernel 2.4.9
This patch adds CONFIG_IP_NF_MATCH_STRING which allows you to match a string in a whole packet.

---
and iptables 1.2.5 , wich I haven't compiled yet, so cannot tell for sure, has something that seems to be awesome... New quota match to have fixed IP quotas

Why is that so hard?

gus

kernel.org has rsync access. Why not just use that?

I've used rsync to update consecutive kernel versions and found the difference data transfered to be comparable to the bz2 patches.

rsync is convienient and easily automated.

In short, no need to reinvent the wheel. :) For those interested, can read more about the rsync algorithm here.