Date: Fri, 25 Jan 2008 09:08:39 -0800 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Gavin Spomer <spomerg@cwu.EDU> Cc: freebsd-pf@freebsd.org Subject: Re: How does /dev/pf get created? Message-ID: <20080125170839.GA39659@eos.sc1.parodius.com> In-Reply-To: <4799A3240200009000013010@hermes.cwu.edu> References: <4799A3240200009000013010@hermes.cwu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 25, 2008 at 08:51:48AM -0800, Gavin Spomer wrote: > Okay, well it's obvious that the modules aren't getting loaded, even though (as I said in original email) I have the > correct lines in /etc/rc.conf. I ran kldstat and only got: > > Id Refs Address Size Name > 1 8 0xc0400000 44c4e0 kernel > 2 1 0xc084d000 2364 accf_http.ko > 3 1 0xc0850000 59f20 acpi.ko > 4 1 0xc881d000 16000 linux.ko > 5 1 0xc8833000 4000 sysvshm.ko Hmm. Your /etc/rc.conf looks right for loading pf as a kernel module. I don't see anything wrong with that. However, your kernel configuration shows that you have "device pf" in the kernel. The /etc/rc.d/pf script is supposed to figure out if you have pf built-in or not (and if not, kldload it). What do you get if you do `kldload -v pf'? The only other recommendation I have would be to change your setup in the following way: 1) Remove the following lines from your kernel configuration: device pf device pflog device pfsync options ALTQ And replace them with just these: # pf altq support options ALTQ options ALTQ_CBQ # Class Bases Queueing options ALTQ_RED # Random Early Drop options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler options ALTQ_CDNR # Traffic conditioner options ALTQ_PRIQ # Priority Queueing options ALTQ_NOPCC # Required for SMP build options ALTQ_DEBUG 2) Remove pf-related lines from /etc/rc.conf and use these instead: pf_enable="yes" pflog_enable="yes" 3) Rebuild your kernel and reboot; remove the KERNCONF=xxx stuff if you went ahead and added the KERNCONF=xxx line to /etc/make.conf. cd /usr/src make buildkernel KERNCONF=whatever make installkernel KERNCONF=whatever reboot 4) See if pf loads after that. I'm left thinking there's some bizarre situation where since you have the "device pf" (and related stuff) in your kernel config hard-coded, the rc.d/pf script isn't properly initialising pf. I can assure you that the above steps described are *exactly* what we use on our RELENG_6 production systems with pf, and we've never run into any trouble. Also, one unrelated thing: I'd recommend removing the Apache-related line you have in /boot/loader.conf. This should be done during startup of httpd via /usr/local/etc/rc.d/*httpd* using rc.conf variables. Add this to your /etc/rc.conf and that's all you should need: apache22_http_accept_enable="yes" Otherwise, I've seen many systems where Apache upon being shut down then start up complains about how it can't load the Accept filter. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080125170839.GA39659>