'NetBSD kernel compilation with ipfilter'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    NetBSD kernel compilation with ipfilter
From:       sc () mail ! dotcom ! fr
Date:       2000-06-27 9:44:23
[Download RAW message or body]


	Hi all,

	On a NetBSD-1.4.2/sparc box, I could'nt patch kernel source code ; I
don't know anything about C promgramming. Somebody could help ?

	Actual ipfilter version in NetBSD-1.4.2 distribution is :
ipf: IP Filter: v3.3.6 (192)
Kernel: IP Filter: v3.3.6               
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: unavailable
Active list: 0



	I would like somebody confirm me how change default policy to block all (in
Makefile ?) and enable logging (options         IPFILTER_LOG in kernel config).

	Thanks a lot

-=-=-=-

root@odyssee /<3>ip_fil3.4.6/NetBSD# ./kinstall 
Installing ip_fil.c ip_fil.h ip_nat.c ip_nat.h ip_frag.c ip_frag.h ip_state.c \
ip_state.h fil.c ip_compat.h ip_proxy.c ip_proxy.h ip_ftp_pxy.c ip_rcmd_pxy.c \
ip_auth.c ip_auth.h ip_log.c  Patching ip_input.c, ip_output.c and in_proto.c ...
Hmm...  Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
> *** /sys/netinet/ip_input.c.orig       Sat Oct 14 12:51:10 1995
> --- /sys/netinet/ip_input.c    Tue Feb 18 21:32:33 1997
--------------------------
Patching file ip_input.c using Plan A...
Hunk #1 failed at 80.
Hunk #2 succeeded at 345 with fuzz 2 (offset 125 lines).
1 out of 2 hunks failed--saving rejects to ip_input.c.rej
Hmm...  The next patch looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
> *** /sys/netinet/ip_output.c.orig      Sat Oct 14 12:51:15 1995
> --- /sys/netinet/ip_output.c   Tue Feb 18 21:36:10 1997
--------------------------
Patching file ip_output.c using Plan A...
Hunk #1 succeeded at 104 (offset 44 lines).
Hunk #2 failed at 325.
1 out of 2 hunks failed--saving rejects to ip_output.c.rej
done







root@odyssee /sys/netinet# cat ip_output.c.rej
***************
*** 321,326 ****
                m->m_flags &= ~M_BCAST;
  
  sendit:
        /*
         * If small enough for interface, can just send directly.
         */
--- 325,342 ----
                m->m_flags &= ~M_BCAST;
  
  sendit:
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+       /*
+        * looks like most checking has been done now...do a filter check
+        */
+       if (fr_checkp) {
+               struct mbuf *m1 = m;
+ 
+               if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
+                       goto done;
+               ip = mtod(m = m1, struct ip *);
+       }
+ #endif
        /*
         * If small enough for interface, can just send directly.
         */






root@odyssee /sys/netinet# cat ip_input.c.rej
***************
*** 80,85 ****
  int   ipqmaxlen = IFQ_MAXLEN;
  struct        in_ifaddrhead in_ifaddr;
  struct        ifqueue ipintrq;
  
  /*
   * We need to save the IP options in case a protocol wants to respond
--- 80,89 ----
  int   ipqmaxlen = IFQ_MAXLEN;
  struct        in_ifaddrhead in_ifaddr;
  struct        ifqueue ipintrq;
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
+ int   fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf *));
+ int   (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ #endif
  
  /*
   * We need to save the IP options in case a protocol wants to respond



-- 
"La société pardonne souvent au criminel,
 jamais elle ne pardonne au rêveur."
 Oscar Wilde


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic