[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: NetBSD kernel compilation with ipfilter
From: sc () mail ! dotcom ! fr
Date: 2000-06-27 9:44:23
[Download RAW message or body]
Hi all,
On a NetBSD-1.4.2/sparc box, I could'nt patch kernel source code ; I
don't know anything about C promgramming. Somebody could help ?
Actual ipfilter version in NetBSD-1.4.2 distribution is :
ipf: IP Filter: v3.3.6 (192)
Kernel: IP Filter: v3.3.6
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: unavailable
Active list: 0
I would like somebody confirm me how change default policy to block all (in
Makefile ?) and enable logging (options IPFILTER_LOG in kernel config).
Thanks a lot
-=-=-=-
root@odyssee /<3>ip_fil3.4.6/NetBSD# ./kinstall
Installing ip_fil.c ip_fil.h ip_nat.c ip_nat.h ip_frag.c ip_frag.h ip_state.c \
ip_state.h fil.c ip_compat.h ip_proxy.c ip_proxy.h ip_ftp_pxy.c ip_rcmd_pxy.c \
ip_auth.c ip_auth.h ip_log.c Patching ip_input.c, ip_output.c and in_proto.c ...
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
> *** /sys/netinet/ip_input.c.orig Sat Oct 14 12:51:10 1995
> --- /sys/netinet/ip_input.c Tue Feb 18 21:32:33 1997
--------------------------
Patching file ip_input.c using Plan A...
Hunk #1 failed at 80.
Hunk #2 succeeded at 345 with fuzz 2 (offset 125 lines).
1 out of 2 hunks failed--saving rejects to ip_input.c.rej
Hmm... The next patch looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
> *** /sys/netinet/ip_output.c.orig Sat Oct 14 12:51:15 1995
> --- /sys/netinet/ip_output.c Tue Feb 18 21:36:10 1997
--------------------------
Patching file ip_output.c using Plan A...
Hunk #1 succeeded at 104 (offset 44 lines).
Hunk #2 failed at 325.
1 out of 2 hunks failed--saving rejects to ip_output.c.rej
done
root@odyssee /sys/netinet# cat ip_output.c.rej
***************
*** 321,326 ****
m->m_flags &= ~M_BCAST;
sendit:
/*
* If small enough for interface, can just send directly.
*/
--- 325,342 ----
m->m_flags &= ~M_BCAST;
sendit:
+ #if defined(IPFILTER) || defined(IPFILTER_LKM)
+ /*
+ * looks like most checking has been done now...do a filter check
+ */
+ if (fr_checkp) {
+ struct mbuf *m1 = m;
+
+ if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
+ goto done;
+ ip = mtod(m = m1, struct ip *);
+ }
+ #endif
/*
* If small enough for interface, can just send directly.
*/
root@odyssee /sys/netinet# cat ip_input.c.rej
***************
*** 80,85 ****
int ipqmaxlen = IFQ_MAXLEN;
struct in_ifaddrhead in_ifaddr;
struct ifqueue ipintrq;
/*
* We need to save the IP options in case a protocol wants to respond
--- 80,89 ----
int ipqmaxlen = IFQ_MAXLEN;
struct in_ifaddrhead in_ifaddr;
struct ifqueue ipintrq;
+ #if defined(IPFILTER_LKM) || defined(IPFILTER)
+ int fr_check __P((struct ip *, int, struct ifnet *, int, struct mbuf *));
+ int (*fr_checkp) __P((struct ip *, int, struct ifnet *, int, struct mbuf **));
+ #endif
/*
* We need to save the IP options in case a protocol wants to respond
--
"La société pardonne souvent au criminel,
jamais elle ne pardonne au rêveur."
Oscar Wilde
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic