IPFilter 5 and compiled access lists
I've been back to Freebsd lately, and using freebsd10 rc2.
I noticed an option to compile access lists into the kernel module for ipfilter. I got it to work, but thought I'd note down how ...
firstly the kernel doesn't know the option to compile access lists so add this instead
makeoptions CFLAGS+=-DIPFILTER_COMPILED
I noticed an option to compile access lists into the kernel module for ipfilter. I got it to work, but thought I'd note down how ...
firstly the kernel doesn't know the option to compile access lists so add this instead
makeoptions CFLAGS+=-DIPFILTER_COMPILED
or you could add to /etc/make.conf
now, take your ruleset in a file and create ip_rules.c and ip_rules.h by doing this
/sbin/ipf -n -cc -f <filename>
copy them into
/usr/src/sys/contrib/ipfilter/netinet
edit ip_rules.c and take out the if statement for NetBSD by deleting
#if (__NetBSD_Version__ >= 399000000)
#else
then, if you have in and out rules, there is a bug in generating the ip_rules.c , work around it by adding
frentry_t *ipf_rules_out_[1] = {
(frentry_t *)&out_rule__0
};
and adjust [1] to the amount of rules you have.
then compile the kernel as normal and install it, load the module and you should see something in dmesg like
IP Filter: v5.1.2 initialized. Default = pass all, Logging = enabled (COMPILED)
Comments