Posts

Showing posts from January, 2014

IPFilter 5 and compiled access lists

I've been back to Freebsd lately, and using freebsd10 rc2. I noticed an option to compile access lists into the kernel module for ipfilter.  I got it to work, but thought I'd note down how ... firstly the kernel doesn't know the option to compile access lists so add this instead makeoptions     CFLAGS+=-DIPFILTER_COMPILED or you could add to /etc/make.conf now, take your ruleset in a file and create ip_rules.c and ip_rules.h  by doing this /sbin/ipf -n -cc -f <filename> copy them into  /usr/src/sys/contrib/ipfilter/netinet edit ip_rules.c and take out the if statement for NetBSD by deleting #if (__NetBSD_Version__ >= 399000000) #else then, if you have in and out rules, there is a bug in generating the ip_rules.c , work around it by adding frentry_t *ipf_rules_out_[1] = {         (frentry_t *)&out_rule__0 }; and adjust [1] to the amount of rules you have. then compile the kernel as normal and install i