How to add IMQ patch to Ubuntu 10.04 Lucid Lynx

Those of you, who are having problems adding IMQ support to recent Ubuntu/Debian release, might consider this blog entry useful

I will not discuss what IMQ is and wheater is it good or bad – I will describe how to prepare kernel, iptables packages and how to deploy them to our Debian/Ubuntu system including taking care of making them immune to accidential system upgrade packages replacement.

Kernel package with IMQ support

Before we start – we need few packages that will might be required:

sudo aptitude install fakeroot build-essential kernel-package ncurses-dev

Now we are ready to start: first, we need our current kernel with distro patches. For desktop instance I would use -generic instead of -server:

apt-get source linux-image-2.6.32-22-server

Now, we download imq patch, apply it and compile kernel:

wget http://linuximq.net/patchs/linux-2.6.32-imq-test2.diff

cd linux-2.6.32/

patch -p1 < ../linux-2.6.32-imq-test2.diff

fakeroot time make-kpkg --initrd --append_to_version=imq linux-image

During the compilation process, make-kpkg script will discover unanswered features that we need to check as modules:

  "IMQ" target support (NETFILTER_XT_TARGET_IMQ) [N/m/?] (NEW) m

  IMQ (intermediate queueing device) support (IMQ) [M/y/?] (NEW) M

    IMQ behavior (PRE/POSTROUTING)

      1. IMQ AA (IMQ_BEHAVIOR_AA) (NEW)

    > 2. IMQ AB (IMQ_BEHAVIOR_AB) (NEW)

      3. IMQ BA (IMQ_BEHAVIOR_BA) (NEW)

      4. IMQ BB (IMQ_BEHAVIOR_BB) (NEW)

    choice[1-4?]: 2

    Number of IMQ devices (IMQ_NUM_DEVS) [16] (NEW)

Finally... in parent directory we will find:

linux-image-2.6.32.11+drm33.2imq_2.6.32.11+drm33.2imq-10.00.Custom_i386.deb

If everything went fine and our package is present - we can clean up compiled object files that will not be required anymore, recovering few GB of hard disk space:

./debian/rules clean

in case You forget to generate initrd file, it always might be generated by hand:

sudo -i

cd /boot/

mkinitramfs-kpkg -o initrd.img-2.6.32.11+drm33.2imq 2.6.32.11+drm33.2imq

update-grub

Iptables package with IMQ support

First, the patch - there is no iptables-1.4.4 imq patch available on linuximq.net I'm afraid. I have used iptables-1.4.6-imq patch and fixed it to compile with iptables-1.4.4.

Original patch can be found here.

Changes:

diff -Naurw iptables-1.4.6-imq.diff iptables-1.4.4-imq.diff
--- iptables-1.4.6-imq.diff	2010-01-27 11:53:22.000000000 +0100
+++ iptables-1.4.4-imq.diff	2010-05-08 13:18:21.000000000 +0200
@@ -43,7 +43,7 @@
 +
 +	switch(c) {
 +	case '1':
-+		if (xtables_check_inverse(optarg, &invert, NULL, 0, argv))
++		if (xtables_check_inverse(optarg, &invert, 0, argv))
 +			xtables_error(PARAMETER_PROBLEM,
 +				   "Unexpected `!' after --todev");
 +		mr->todev=atoi(optarg);

Ready to use patch can be downloaded from here using command below:

wget http://nme.pl/pub/patches/iptables-1.4.4-imq.diff

Ok, now since we got patch ready, we can download iptables sources and compile our deb package:

apt-get source iptables

cd iptables-1.4.4

cp ../iptables-1.4.4-imq.diff debian/patch/1009-iptables-1.4.4-imq.diff
echo "1009-iptables-1.4.4-imq.diff" >>debian/patch/series

patch -p0 < ../iptables-1.4.4-imq.diff

Following will be required:

sudo aptitude install debhelper quilt autoconf automake linuxdoc-tools libtool

dpkg-buildpackage -rfakeroot -uc -b

In case You are recompiling for some reason, one of the distro patches might fail - in this case edit debian/patches/series using Your favourite editor and comment out the following patch:

0902-docs-version-reference.diff    ->    #0902-docs-version-reference.diff

Operation above might be archived by in place edition of debian/patch/series using command below:

sed -i 's/^0902/#0902/' debian/patch/series

When compilation ends, You should get two packages in parent directory: iptables and iptables-dev.

Installation & freezing our changes

Now we can install our packages:

dpkg -i *.deb

It will install following packages:

iptables_1.4.4-2ubuntu2_i386.deb
linux-image-2.6.32.11+drm33.2imq_2.6.32.11+drm33.2imq-10.00.Custom_i386.deb
iptables-dev_1.4.4-2ubuntu2_i386.deb

You might also consider holding packages to be sure that they will not be replaced during standard regular-basis upgrade:

aptitude hold linux-image iptables iptables-dev

IMQ development, status and replacement discussion

It is not true that recent IMQ patches are not stable as I have read on some web pages. Since Jussi joined the IMQ team, problems I have had with 2.6.18-24 kernels have gone to past.

Kernel 2.6.28.9 with iptables 1.4.0 works perfectly stable taking care of huge loads of network traffic. I think that current patch described above will work the same (im making before-production tests currently and it seems to work fine).

On the other hand - IFB - which is meant as replacement for IMQ - as for me - it does not offer the same functionality for bridge environment I need... Of course - I might be mistaken. Thats why - if anyone of You have replaced IMQ with IFB for bridge devices with ingress and egress traffic shaping - I'm very interested in the solution.