--- kernel-2.6.spec	2006-05-22 04:54:08.000000000 +1000
+++ kernel-firewall.spec	2006-05-30 02:07:59.000000000 +1000
@@ -3,15 +3,20 @@
 # What parts do we want to build?  We must build at least one kernel.
 # These are the kernels that are built IF the architecture allows it.
 
-%define buildup 1
-%define buildsmp 1
+%define buildup 0
+%define buildsmp 0
 # Whether to apply the Xen patches, leave this enabled.
 %define includexen 1
 # Whether to build the Xen kernels, disable if you want.
 %define buildxen 1
 %define buildxenPAE 0
 %define builddoc 0
-%define buildkdump 1
+%define buildkdump 0
+%define buildprepom 0
+
+%define iptables_version 1.3.5
+%define patchomatic_version 20060529
+%define openswan_version 2.4.5
 
 # Versions of various parts
 
@@ -153,6 +158,9 @@
 #
 %define kernel_prereq  fileutils, module-init-tools, initscripts >= 8.11.1-1, mkinitrd >= 4.2.21-1
 
+%define KERNEL_PATH ${RPM_BUILD_DIR}/%{name}-%{version}/linux-%{kversion}
+%define IPTABLES_PATH ${RPM_BUILD_DIR}/%{name}-%{version}/iptables-%{iptables_version}
+
 Name: kernel
 Group: System Environment/Kernel
 License: GPLv2
@@ -211,6 +219,10 @@
 Source41: kernel-%{kversion}-x86_64-xen0.config
 Source42: kernel-%{kversion}-x86_64-xenU.config
 
+Source100: http://www.netfilter.org/files/iptables-%{iptables_version}.tar.bz2
+Source101: http://ftp.netfilter.org/pub/path-o-matic-ng/snapshot/patch-o-matic-ng-%{patchomatic_version}.tar.bz2
+
+
 #
 # Patches 0 through 100 are meant for core subsystem upgrades
 #
@@ -432,6 +444,9 @@
 # Xen hypervisor patches
 Patch20000: xen-sched-sedf.patch
 
+# Firewall stuff
+Patch90000: http://www.openswan.org/download/openswan-%{openswan_version}.kernel-2.6-natt.patch.gz
+Patch90001: http://www.openswan.org/download/openswan-%{openswan_version}.kernel-2.6-klips.patch.gz
 
 # END OF PATCH DEFINITIONS
 
@@ -1093,8 +1108,70 @@
 %patch10001 -p1
 
 
+# Firewall stuff - OpenSWAN
+%patch90000 -p1
+#%patch90001 -p1
+
 # END OF PATCH APPLICATIONS
 
+
+# Firewall stuff
+%if %{buildprepom}
+cp -R %{KERNEL_PATH}.%{_target_cpu} ${RPM_BUILD_DIR}/%{name}-%{version}/linux-prepom-%{kversion}.%{_target_cpu}
+%endif
+
+# iptables source
+%setup -q -n %{name}-%{version} -c -a 100 -T -D
+
+# patch-o-matic
+%setup -q -n %{name}-%{version} -c -a 101 -T -D
+
+
+echo -n We are in
+echo `pwd`
+
+cd patch-o-matic-ng-%{patchomatic_version}
+sed -i -e 's/head\ -1/head\ -n\ 1/' runme
+
+pushd patchlets
+
+# mainline
+
+# base
+rm -rf IPV4OPTSSTRIP
+rm -rf connlimit
+rm -rf set
+rm -rf iprange
+rm -rf u32
+
+# extra
+rm -rf IPMARK
+rm -rf ROUTE
+rm -rf TARPIT
+rm -rf conntrack_nonat
+rm -rf directx8-conntrack-nat
+rm -rf eggdrop-conntrack
+#rm -rf ipv4options
+rm -rf layer2-hooks
+rm -rf msnp-conntrack-nat
+rm -rf quake3-conntrack-nat
+rm -rf rpc
+rm -rf rsh
+rm -rf talk-conntrack-nat
+
+# Why oh why won't you work...
+rm -rf rtsp-conntrack
+
+popd
+
+# patches of the base repository or do apply well or are already applied
+./runme --batch --kernel-path=%{KERNEL_PATH}.%{_target_cpu} --iptables-path=%{IPTABLES_PATH} extra
+
+cd %{KERNEL_PATH}.%{_target_cpu}
+
+# End firewall stuff
+
+
 cp %{SOURCE10} Documentation/
 
 mkdir configs