conf/125901: Documentation of LIBALIAS/IPFIREWALL in kernel config
needed
Jeff Kletsky
freebsd at wagsky.com
Wed Jul 23 14:50:04 UTC 2008
>Number: 125901
>Category: conf
>Synopsis: Documentation of LIBALIAS/IPFIREWALL in kernel config needed
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: doc-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Jul 23 14:50:04 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Jeff Kletsky
>Release: 7.0-RELEASE-p2
>Organization:
>Environment:
FreeBSD port4.pn.wagsky.com 7.0-RELEASE-p2 FreeBSD 7.0-RELEASE-p2 #0: Wed Jun 18 07:33:20 UTC 2008 root at i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
>Description:
The need to enable the LIBALIAS kernel configuration parameter when certain IPFW configuration options are enabled should be called out in the
>How-To-Repeat:
0) Install 7.0-RELEASE with source, apply patches with freebsd-update to 7.0-RELEASE-p2
1) Create a new kernel conf file to enable various NAT options for IPFW
=======================================================================
[root at port4 /usr/src]# cat /usr/src/sys/i386/conf/FWNAT
include GENERIC
ident FWNAT
# jmk -- 20080723
# $FreeBSD: src/sys/conf/NOTES,v 1.1454 2007/09/26 21:14:17 marius Exp $
#
# NOTES -- Lines that can be cut/pasted into kernel and hints configs.
#
# Lines that begin with 'device', 'options', 'machine', 'ident', 'maxusers',
# 'makeoptions', 'hints', etc. go into the kernel configuration that you
# run config(8) with.
#
# Lines that begin with 'hint.' are NOT for config(8), they go into your
# hints file. See /boot/device.hints and/or the 'hints' config(8) directive.
#
# Please use ``make LINT'' to create an old-style LINT file if you want to
# do kernel test-builds.
#
# This file contains machine independent kernel configuration notes. For
# machine dependent notes, look in /sys/<arch>/conf/NOTES.
#
# [...]
#
# Internet family options:
#
# MROUTING enables the kernel multicast packet forwarder, which works
# with mrouted and XORP.
#
# IPFIREWALL enables support for IP firewall construction, in
# conjunction with the `ipfw' program. IPFIREWALL_VERBOSE sends
# logged packets to the system logger. IPFIREWALL_VERBOSE_LIMIT
# limits the number of times a matching entry can be logged.
#
# WARNING: IPFIREWALL defaults to a policy of "deny ip from any to any"
# and if you do not add other rules during startup to allow access,
# YOU WILL LOCK YOURSELF OUT. It is suggested that you set firewall_type=open
# in /etc/rc.conf when first enabling this feature, then refining the
# firewall rules in /etc/rc.firewall after you've tested that the new kernel
# feature works properly.
#
# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
# allow everything. Use with care, if a cracker can crash your
# firewall machine, they can get to your protected machines. However,
# if you are using it as an as-needed filter for specific problems as
# they arise, then this may be for you. Changing the default to 'allow'
# means that you won't get stuck if the kernel and /sbin/ipfw binary get
# out of sync.
#
# IPDIVERT enables the divert IP sockets, used by ``ipfw divert''. It
# depends on IPFIREWALL if compiled into the kernel.
#
# IPFIREWALL_FORWARD enables changing of the packet destination either
# to do some sort of policy routing or transparent proxying. Used by
# ``ipfw forward''. All redirections apply to locally generated
# packets too. Because of this great care is required when
# crafting the ruleset.
#
# IPFIREWALL_NAT adds support for in kernel nat in ipfw, and it requires
# LIBALIAS. To build an ipfw kld with nat support enabled, add
# "CFLAGS+= -DIPFIREWALL_NAT" to your make.conf.
#
# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
# packets without touching the TTL). This can be useful to hide firewalls
# from traceroute and similar tools.
#
# TCPDEBUG enables code which keeps traces of the TCP state machine
# for sockets with the SO_DEBUG option set, which can then be examined
# using the trpt(8) utility.
#
#options MROUTING # Multicast routing
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
#options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
#options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
options IPFIREWALL_FORWARD #packet destination changes
options IPFIREWALL_NAT #ipfw kernel nat support
options IPDIVERT #divert sockets
#options IPFILTER #ipfilter support
#options IPFILTER_LOG #ipfilter logging
#options IPFILTER_LOOKUP #ipfilter pools
#options IPFILTER_DEFAULT_BLOCK #block all packets by default
options IPSTEALTH #support for stealth forwarding
#options TCPDEBUG
# The MBUF_STRESS_TEST option enables options which create
# various random failures / extreme cases related to mbuf
# functions. See mbuf(9) for a list of available test cases.
#options MBUF_STRESS_TEST
# Statically Link in accept filters
#options ACCEPT_FILTER_DATA
#options ACCEPT_FILTER_HTTP
# TCP_SIGNATURE adds support for RFC 2385 (TCP-MD5) digests. These are
# carried in TCP option 19. This option is commonly used to protect
# TCP sessions (e.g. BGP) where IPSEC is not available nor desirable.
# This is enabled on a per-socket basis using the TCP_MD5SIG socket option.
# This requires the use of 'device crypto', 'options IPSEC'
# or 'device cryptodev'.
#options TCP_SIGNATURE #include support for RFC 2385
# DUMMYNET enables the "dummynet" bandwidth limiter. You need IPFIREWALL
# as well. See dummynet(4) and ipfw(8) for more info. When you run
# DUMMYNET it is advisable to also have "options HZ=1000" to achieve a
# smoother scheduling of the traffic.
options DUMMYNET
# Zero copy sockets support. This enables "zero copy" for sending and
# receiving data via a socket. The send side works for any type of NIC,
# the receive side only works for NICs that support MTUs greater than the
# page size of your architecture and that support header splitting. See
# zero_copy(9) for more details.
#options ZERO_COPY_SOCKETS
# [...]
2) Compile and note that the kernel does not link
=================================================
[root at port4 /usr/src]# make buildkernel KERNCONF=FWNAT
[...]
linking kernel.debug
ip_fw2.o(.text+0x2a4): In function `del_redir_spool_cfg':
/usr/src/sys/netinet/ip_fw2.c:2154: undefined reference to `LibAliasRedirectDelete'
ip_fw2.o(.text+0x1d27): In function `ipfw_destroy':
/usr/src/sys/netinet/ip_fw2.c:5037: undefined reference to `LibAliasUninit'
ip_fw2.o(.text+0x35df): In function `ipfw_ctl':
/usr/src/sys/netinet/ip_fw2.c:4684: undefined reference to `LibAliasInit'
ip_fw2.o(.text+0x3711):/usr/src/sys/netinet/ip_fw2.c:4711: undefined reference to `LibAliasSetMode'
ip_fw2.o(.text+0x3729):/usr/src/sys/netinet/ip_fw2.c:4712: undefined reference to `LibAliasSetAddress'
ip_fw2.o(.text+0x383e):/usr/src/sys/netinet/ip_fw2.c:2190: undefined reference to `LibAliasRedirectAddr'
ip_fw2.o(.text+0x38e0):/usr/src/sys/netinet/ip_fw2.c:2199: undefined reference to `LibAliasRedirectPort'
ip_fw2.o(.text+0x3942):/usr/src/sys/netinet/ip_fw2.c:2210: undefined reference to `LibAliasRedirectProto'
ip_fw2.o(.text+0x39fe):/usr/src/sys/netinet/ip_fw2.c:2226: undefined reference to `LibAliasAddServer'
ip_fw2.o(.text+0x3c6e):/usr/src/sys/netinet/ip_fw2.c:4746: undefined reference to `LibAliasUninit'
ip_fw2.o(.text+0x41fd): In function `ifaddr_change':
/usr/src/sys/netinet/ip_fw2.c:2085: undefined reference to `LibAliasSetAddress'
ip_fw2.o(.text+0x7f55): In function `ipfw_chk':
/usr/src/sys/netinet/ip_fw2.c:3502: undefined reference to `m_megapullup'
ip_fw2.o(.text+0x7fbd):/usr/src/sys/netinet/ip_fw2.c:3566: undefined reference to `LibAliasIn'
ip_fw2.o(.text+0x7fdc):/usr/src/sys/netinet/ip_fw2.c:3569: undefined reference to `LibAliasOut'
*** Error code 1
Stop in /usr/obj/usr/src/sys/FWNAT.
*** Error code 1
Stop in /usr/src.
*** Error code 1
Stop in /usr/src.
>Fix:
Suggest documentation in
# $FreeBSD: src/sys/conf/NOTES,v 1.1454 2007/09/26 21:14:17 marius Exp $
indicating that LIBALIAS option is needed for IPFIREWALL_NAT (and/or which ever options cause it to be needed)
Apparently run across by others:
<http://lists.freebsd.org/pipermail/freebsd-stable/2007-October/037712.html>
<http://lists.freebsd.org/pipermail/freebsd-current/2006-December/068350.html>
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list