Date: Wed, 23 Jul 2008 14:44:21 GMT From: Jeff Kletsky <freebsd@wagsky.com> To: freebsd-gnats-submit@FreeBSD.org Subject: conf/125901: Documentation of LIBALIAS/IPFIREWALL in kernel config needed Message-ID: <200807231444.m6NEiL5w077241@www.freebsd.org> Resent-Message-ID: <200807231450.m6NEo4Rj083298@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 125901 >Category: conf >Synopsis: Documentation of LIBALIAS/IPFIREWALL in kernel config needed >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Wed Jul 23 14:50:04 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Jeff Kletsky >Release: 7.0-RELEASE-p2 >Organization: >Environment: FreeBSD port4.pn.wagsky.com 7.0-RELEASE-p2 FreeBSD 7.0-RELEASE-p2 #0: Wed Jun 18 07:33:20 UTC 2008 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >Description: The need to enable the LIBALIAS kernel configuration parameter when certain IPFW configuration options are enabled should be called out in the >How-To-Repeat: 0) Install 7.0-RELEASE with source, apply patches with freebsd-update to 7.0-RELEASE-p2 1) Create a new kernel conf file to enable various NAT options for IPFW ======================================================================= [root@port4 /usr/src]# cat /usr/src/sys/i386/conf/FWNAT include GENERIC ident FWNAT # jmk -- 20080723 # $FreeBSD: src/sys/conf/NOTES,v 1.1454 2007/09/26 21:14:17 marius Exp $ # # NOTES -- Lines that can be cut/pasted into kernel and hints configs. # # Lines that begin with 'device', 'options', 'machine', 'ident', 'maxusers', # 'makeoptions', 'hints', etc. go into the kernel configuration that you # run config(8) with. # # Lines that begin with 'hint.' are NOT for config(8), they go into your # hints file. See /boot/device.hints and/or the 'hints' config(8) directive. # # Please use ``make LINT'' to create an old-style LINT file if you want to # do kernel test-builds. # # This file contains machine independent kernel configuration notes. For # machine dependent notes, look in /sys/<arch>/conf/NOTES. # # [...] # # Internet family options: # # MROUTING enables the kernel multicast packet forwarder, which works # with mrouted and XORP. # # IPFIREWALL enables support for IP firewall construction, in # conjunction with the `ipfw' program. IPFIREWALL_VERBOSE sends # logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT # limits the number of times a matching entry can be logged. # # WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any" # and if you do not add other rules during startup to allow access, # YOU WILL LOCK YOURSELF OUT. It is suggested that you set firewall_type=open # in /etc/rc.conf when first enabling this feature, then refining the # firewall rules in /etc/rc.firewall after you've tested that the new kernel # feature works properly. # # IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to # allow everything. Use with care, if a cracker can crash your # firewall machine, they can get to your protected machines. However, # if you are using it as an as-needed filter for specific problems as # they arise, then this may be for you. Changing the default to 'allow' # means that you won't get stuck if the kernel and /sbin/ipfw binary get # out of sync. # # IPDIVERT enables the divert IP sockets, used by ``ipfw divert''. It # depends on IPFIREWALL if compiled into the kernel. # # IPFIREWALL_FORWARD enables changing of the packet destination either # to do some sort of policy routing or transparent proxying. Used by # ``ipfw forward''. All redirections apply to locally generated # packets too. Because of this great care is required when # crafting the ruleset. # # IPFIREWALL_NAT adds support for in kernel nat in ipfw, and it requires # LIBALIAS. To build an ipfw kld with nat support enabled, add # "CFLAGS+= -DIPFIREWALL_NAT" to your make.conf. # # IPSTEALTH enables code to support stealth forwarding (i.e., forwarding # packets without touching the TTL). This can be useful to hide firewalls # from traceroute and similar tools. # # TCPDEBUG enables code which keeps traces of the TCP state machine # for sockets with the SO_DEBUG option set, which can then be examined # using the trpt(8) utility. # #options MROUTING # Multicast routing options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #enable logging to syslogd(8) #options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity #options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPFIREWALL_FORWARD #packet destination changes options IPFIREWALL_NAT #ipfw kernel nat support options IPDIVERT #divert sockets #options IPFILTER #ipfilter support #options IPFILTER_LOG #ipfilter logging #options IPFILTER_LOOKUP #ipfilter pools #options IPFILTER_DEFAULT_BLOCK #block all packets by default options IPSTEALTH #support for stealth forwarding #options TCPDEBUG # The MBUF_STRESS_TEST option enables options which create # various random failures / extreme cases related to mbuf # functions. See mbuf(9) for a list of available test cases. #options MBUF_STRESS_TEST # Statically Link in accept filters #options ACCEPT_FILTER_DATA #options ACCEPT_FILTER_HTTP # TCP_SIGNATURE adds support for RFC 2385 (TCP-MD5) digests. These are # carried in TCP option 19. This option is commonly used to protect # TCP sessions (e.g. BGP) where IPSEC is not available nor desirable. # This is enabled on a per-socket basis using the TCP_MD5SIG socket option. # This requires the use of 'device crypto', 'options IPSEC' # or 'device cryptodev'. #options TCP_SIGNATURE #include support for RFC 2385 # DUMMYNET enables the "dummynet" bandwidth limiter. You need IPFIREWALL # as well. See dummynet(4) and ipfw(8) for more info. When you run # DUMMYNET it is advisable to also have "options HZ=1000" to achieve a # smoother scheduling of the traffic. options DUMMYNET # Zero copy sockets support. This enables "zero copy" for sending and # receiving data via a socket. The send side works for any type of NIC, # the receive side only works for NICs that support MTUs greater than the # page size of your architecture and that support header splitting. See # zero_copy(9) for more details. #options ZERO_COPY_SOCKETS # [...] 2) Compile and note that the kernel does not link ================================================= [root@port4 /usr/src]# make buildkernel KERNCONF=FWNAT [...] linking kernel.debug ip_fw2.o(.text+0x2a4): In function `del_redir_spool_cfg': /usr/src/sys/netinet/ip_fw2.c:2154: undefined reference to `LibAliasRedirectDelete' ip_fw2.o(.text+0x1d27): In function `ipfw_destroy': /usr/src/sys/netinet/ip_fw2.c:5037: undefined reference to `LibAliasUninit' ip_fw2.o(.text+0x35df): In function `ipfw_ctl': /usr/src/sys/netinet/ip_fw2.c:4684: undefined reference to `LibAliasInit' ip_fw2.o(.text+0x3711):/usr/src/sys/netinet/ip_fw2.c:4711: undefined reference to `LibAliasSetMode' ip_fw2.o(.text+0x3729):/usr/src/sys/netinet/ip_fw2.c:4712: undefined reference to `LibAliasSetAddress' ip_fw2.o(.text+0x383e):/usr/src/sys/netinet/ip_fw2.c:2190: undefined reference to `LibAliasRedirectAddr' ip_fw2.o(.text+0x38e0):/usr/src/sys/netinet/ip_fw2.c:2199: undefined reference to `LibAliasRedirectPort' ip_fw2.o(.text+0x3942):/usr/src/sys/netinet/ip_fw2.c:2210: undefined reference to `LibAliasRedirectProto' ip_fw2.o(.text+0x39fe):/usr/src/sys/netinet/ip_fw2.c:2226: undefined reference to `LibAliasAddServer' ip_fw2.o(.text+0x3c6e):/usr/src/sys/netinet/ip_fw2.c:4746: undefined reference to `LibAliasUninit' ip_fw2.o(.text+0x41fd): In function `ifaddr_change': /usr/src/sys/netinet/ip_fw2.c:2085: undefined reference to `LibAliasSetAddress' ip_fw2.o(.text+0x7f55): In function `ipfw_chk': /usr/src/sys/netinet/ip_fw2.c:3502: undefined reference to `m_megapullup' ip_fw2.o(.text+0x7fbd):/usr/src/sys/netinet/ip_fw2.c:3566: undefined reference to `LibAliasIn' ip_fw2.o(.text+0x7fdc):/usr/src/sys/netinet/ip_fw2.c:3569: undefined reference to `LibAliasOut' *** Error code 1 Stop in /usr/obj/usr/src/sys/FWNAT. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. >Fix: Suggest documentation in # $FreeBSD: src/sys/conf/NOTES,v 1.1454 2007/09/26 21:14:17 marius Exp $ indicating that LIBALIAS option is needed for IPFIREWALL_NAT (and/or which ever options cause it to be needed) Apparently run across by others: <http://lists.freebsd.org/pipermail/freebsd-stable/2007-October/037712.html>; <http://lists.freebsd.org/pipermail/freebsd-current/2006-December/068350.html>; >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807231444.m6NEiL5w077241>