From owner-freebsd-questions@FreeBSD.ORG Wed Sep 8 06:43:30 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7FCB16A4CE for ; Wed, 8 Sep 2004 06:43:30 +0000 (GMT) Received: from gromit.dlib.vt.edu (gromit.dlib.vt.edu [128.173.49.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C89343D39 for ; Wed, 8 Sep 2004 06:43:30 +0000 (GMT) (envelope-from paul@gromit.dlib.vt.edu) Received: from hawkwind.Chelsea-Ct.Org (pool-151-199-91-61.roa.east.verizon.net [151.199.91.61]) by gromit.dlib.vt.edu (8.12.11/8.12.11) with ESMTP id i886hRLI096616 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 8 Sep 2004 02:43:29 -0400 (EDT) (envelope-from paul@gromit.dlib.vt.edu) Received: from [192.168.1.25] (zappa [192.168.1.25])i886hLYi026956; Wed, 8 Sep 2004 02:43:22 -0400 (EDT) From: Paul Mather To: Wayne Pascoe In-Reply-To: <20040908061202.GA3542@marvin.penguinpowered.org> References: <20040907212731.EEB2916A4E8@hub.freebsd.org> <1094593858.12931.15.camel@zappa.Chelsea-Ct.Org> <20040908061202.GA3542@marvin.penguinpowered.org> Content-Type: text/plain Message-Id: <1094625800.14235.19.camel@zappa.Chelsea-Ct.Org> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Wed, 08 Sep 2004 02:43:21 -0400 Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: IP Filter on FreeBSD 5.2.1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2004 06:43:30 -0000 On Wed, 2004-09-08 at 02:12, Wayne Pascoe wrote: > On Tue, Sep 07, 2004 at 05:50:59PM -0400, Paul Mather wrote: > > 20030925: > > Configuring a system to use IPFILTER now requires that PFIL_HOOKS > > also be explicitly configured. Previously this dependency was > > magically handled through some cruft in net/pfil.h; but that has > > been removed. Building a kernel with IPFILTER but not PFIL_HOOKS > > will fail with obtuse errors in ip_fil.c. > > > > > > (It's a good idea to look in /usr/src/UPDATING before updating your > > system.) > > Fair enough - to a point. I only look for things that apply to my > system when reading UPDATING... things that have changed since my last > update. In september 2003, I wouldn't have read the ipfilter related > stuff, because I wasn't using ipfilter at that time. But it's always a good rule of thumb that when faced with a kernel/world build failure to go back and take a closer look through UPDATING for something you might have missed. It could be argued that this would also apply if you were enabling a feature (or adding a piece of hardware) not previously used before. > I'm sure someone won't mind including a single line in a howto because > that then turns it into a definitive reference, that doesn't require > referencing twoo locations. I believe I misunderstood your original posting. I'd thought you were going to apprise the FreeBSD developer responsible for ipfilter that people should be told they needed the PFIL_HOOKS option. From the above, it appears it's the howto author that is the intended recipient. Mea culpa! The unfortunate thing about "definitive references," though, is that when push comes to shove, UPDATING will take precedence. In the case of PFIL_HOOKS, it has vanished as an option under 6.0-CURRENT (though it was present for a while, IIRC)... Cheers, Paul. -- e-mail: paul@gromit.dlib.vt.edu "Without music to decorate it, time is just a bunch of boring production deadlines or dates by which bills must be paid." --- Frank Vincent Zappa