From owner-freebsd-pf@FreeBSD.ORG Fri Jan 25 16:12:15 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 31DA416A419 for ; Fri, 25 Jan 2008 16:12:15 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id 30F6513C44B for ; Fri, 25 Jan 2008 16:12:15 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 107661CC05F; Fri, 25 Jan 2008 08:12:15 -0800 (PST) Date: Fri, 25 Jan 2008 08:12:15 -0800 From: Jeremy Chadwick To: Gavin Spomer Message-ID: <20080125161215.GA38146@eos.sc1.parodius.com> References: <4799933A0200009000012FFC@hermes.cwu.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4799933A0200009000012FFC@hermes.cwu.edu> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-pf@freebsd.org Subject: Re: How does /dev/pf get created? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jan 2008 16:12:15 -0000 On Fri, Jan 25, 2008 at 07:43:54AM -0800, Gavin Spomer wrote: > I only have 3 lines in my /etc/make.conf: a comment and 2 lines about what perl to use. > Is NO_PF=YES the default if not specified? NO_PF in /etc/make.conf (RELENG_6), or WITHOUT_PF in /etc/src.conf (RELENG_7) will simply disable building pf-related utilities in the base system (e.g. pfctl and others). It should not affect what features/capabilities your kernel configuration specifies. > In that case adding NO_PF=NO and then building may work. No, this will not work. NO_xxx variables do not check the actual value of the assignment; NO_PF=HEHEHE would be the same thing as NO_PF=true. The same goes for src.conf as described above. > I did it via the command line: > make buildkernel KERNCONF=MACHINEHOSTNAME > make installkernel KERNCONT=MACHINEHOSTNAME Your installkernel line is incorrect. KERNCONT != KERNCONF. Also, consider simply placing KERNCONF=WHATEVER in /etc/make.conf, then you won't have to remember to specify the variable on the command-line when building/installing kernels. > Shouldn't having "device pf" in MACHINEHOSTNAME file and building provide /dev/pf? Yes and no. The /dev/pf device is created on-the-fly when the pf module is loaded by the kernel. It is not a device that's made during build time or via any other means. A missing /dev/pf (as claimed by your pfctl) seems to indicate you do not have the pf module loaded into the kernel (either as a module loaded via kldload, or built-in to the kernel via 'device pf') On none of our production machines do we have "device pf" in our kernel configs. Instead, we rely on the following /etc/rc.conf variable to kldload the pf kernel module during boot: pf_enable="yes" If you want pflog support, you will also need the following line: pflog_enable="yes" Drivers being loaded This can be verified by doing `kldstat' and seeing the module(s) loaded as so: # kldstat Id Refs Address Size Name 1 6 0xc0400000 3f5b50 kernel 2 1 0xc07f6000 64340 acpi.ko 4 2 0xc81b5000 2e000 pf.ko 6 1 0xcaf50000 3000 pflog.ko > I have such a vanilla installation of FreeBSD, it's hard for me to see where I went wrong. I seem to have all the > components of pf except /dev/pf. I have /sbin/pfctl, /etc/pf.conf, /boot/kernel/pf.ko, /boot/kernel/pflog.ko and the > appropriate stuff I mentioned in /etc/rc.conf and probably others as well. I just don't have /dev/pf. How does this get > created? It would help if you could provide: * Output of uname -a on the machine which doesn't have /dev/pf * Output of kldstat * Your /etc/rc.conf * Your /boot/loader.conf * Your /etc/make.conf * Your kernel configuration file -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |