conf/125901: Documentation of LIBALIAS/IPFIREWALL in kernel config needed

Jeff Kletsky freebsd at wagsky.com
Wed Jul 23 14:50:04 UTC 2008 

>Number:         125901
>Category:       conf
>Synopsis:       Documentation of LIBALIAS/IPFIREWALL in kernel config needed
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 23 14:50:04 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Jeff Kletsky
>Release:        7.0-RELEASE-p2
>Organization:
>Environment:
FreeBSD port4.pn.wagsky.com 7.0-RELEASE-p2 FreeBSD 7.0-RELEASE-p2 #0: Wed Jun 18 07:33:20 UTC 2008     root at i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
The need to enable the LIBALIAS kernel configuration parameter when certain IPFW configuration options are enabled should be called out in the 
>How-To-Repeat:
0) Install 7.0-RELEASE with source, apply patches with freebsd-update to  7.0-RELEASE-p2

1) Create a new kernel conf file to enable various NAT options for IPFW
=======================================================================

[root at port4 /usr/src]# cat /usr/src/sys/i386/conf/FWNAT 
include         GENERIC
ident           FWNAT

# jmk -- 20080723

# $FreeBSD: src/sys/conf/NOTES,v 1.1454 2007/09/26 21:14:17 marius Exp $
#
# NOTES -- Lines that can be cut/pasted into kernel and hints configs.
#
# Lines that begin with 'device', 'options', 'machine', 'ident', 'maxusers',
# 'makeoptions', 'hints', etc. go into the kernel configuration that you
# run config(8) with.
#
# Lines that begin with 'hint.' are NOT for config(8), they go into your
# hints file.  See /boot/device.hints and/or the 'hints' config(8) directive.
#
# Please use ``make LINT'' to create an old-style LINT file if you want to
# do kernel test-builds.
#
# This file contains machine independent kernel configuration notes.  For
# machine dependent notes, look in /sys/<arch>/conf/NOTES.
#

# [...]

#
# Internet family options:
#
# MROUTING enables the kernel multicast packet forwarder, which works
# with mrouted and XORP.
#
# IPFIREWALL enables support for IP firewall construction, in
# conjunction with the `ipfw' program.  IPFIREWALL_VERBOSE sends
# logged packets to the system logger.  IPFIREWALL_VERBOSE_LIMIT
# limits the number of times a matching entry can be logged.
#
# WARNING:  IPFIREWALL defaults to a policy of "deny ip from any to any"
# and if you do not add other rules during startup to allow access,
# YOU WILL LOCK YOURSELF OUT.  It is suggested that you set firewall_type=open
# in /etc/rc.conf when first enabling this feature, then refining the
# firewall rules in /etc/rc.firewall after you've tested that the new kernel
# feature works properly.
#
# IPFIREWALL_DEFAULT_TO_ACCEPT causes the default rule (at boot) to
# allow everything.  Use with care, if a cracker can crash your
# firewall machine, they can get to your protected machines.  However,
# if you are using it as an as-needed filter for specific problems as
# they arise, then this may be for you.  Changing the default to 'allow'
# means that you won't get stuck if the kernel and /sbin/ipfw binary get
# out of sync.
#
# IPDIVERT enables the divert IP sockets, used by ``ipfw divert''.  It
# depends on IPFIREWALL if compiled into the kernel.
#
# IPFIREWALL_FORWARD enables changing of the packet destination either
# to do some sort of policy routing or transparent proxying.  Used by
# ``ipfw forward''. All  redirections apply to locally generated
# packets too.  Because of this great care is required when
# crafting the ruleset.
#
# IPFIREWALL_NAT adds support for in kernel nat in ipfw, and it requires
# LIBALIAS. To build an ipfw kld with nat support enabled, add 
# "CFLAGS+= -DIPFIREWALL_NAT" to your make.conf.
#
# IPSTEALTH enables code to support stealth forwarding (i.e., forwarding
# packets without touching the TTL).  This can be useful to hide firewalls
# from traceroute and similar tools.
#
# TCPDEBUG enables code which keeps traces of the TCP state machine
# for sockets with the SO_DEBUG option set, which can then be examined
# using the trpt(8) utility.
#
#options        MROUTING                # Multicast routing
options         IPFIREWALL              #firewall
options         IPFIREWALL_VERBOSE      #enable logging to syslogd(8)
#options        IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
#options        IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by default
options         IPFIREWALL_FORWARD      #packet destination changes
options         IPFIREWALL_NAT          #ipfw kernel nat support
options         IPDIVERT                #divert sockets
#options        IPFILTER                #ipfilter support
#options        IPFILTER_LOG            #ipfilter logging
#options        IPFILTER_LOOKUP         #ipfilter pools
#options        IPFILTER_DEFAULT_BLOCK  #block all packets by default
options         IPSTEALTH               #support for stealth forwarding
#options        TCPDEBUG

# The MBUF_STRESS_TEST option enables options which create
# various random failures / extreme cases related to mbuf
# functions.  See mbuf(9) for a list of available test cases.
#options        MBUF_STRESS_TEST

# Statically Link in accept filters
#options        ACCEPT_FILTER_DATA
#options        ACCEPT_FILTER_HTTP

# TCP_SIGNATURE adds support for RFC 2385 (TCP-MD5) digests. These are
# carried in TCP option 19. This option is commonly used to protect
# TCP sessions (e.g. BGP) where IPSEC is not available nor desirable.
# This is enabled on a per-socket basis using the TCP_MD5SIG socket option.
# This requires the use of 'device crypto', 'options IPSEC'
# or 'device cryptodev'.
#options        TCP_SIGNATURE           #include support for RFC 2385

# DUMMYNET enables the "dummynet" bandwidth limiter.  You need IPFIREWALL
# as well.  See dummynet(4) and ipfw(8) for more info.  When you run
# DUMMYNET it is advisable to also have "options HZ=1000" to achieve a
# smoother scheduling of the traffic.
options         DUMMYNET

# Zero copy sockets support.  This enables "zero copy" for sending and
# receiving data via a socket.  The send side works for any type of NIC,
# the receive side only works for NICs that support MTUs greater than the
# page size of your architecture and that support header splitting.  See
# zero_copy(9) for more details.
#options        ZERO_COPY_SOCKETS

# [...]

2) Compile and note that the kernel does not link
=================================================

[root at port4 /usr/src]# make buildkernel KERNCONF=FWNAT

[...]

linking kernel.debug
ip_fw2.o(.text+0x2a4): In function `del_redir_spool_cfg':
/usr/src/sys/netinet/ip_fw2.c:2154: undefined reference to `LibAliasRedirectDelete'
ip_fw2.o(.text+0x1d27): In function `ipfw_destroy':
/usr/src/sys/netinet/ip_fw2.c:5037: undefined reference to `LibAliasUninit'
ip_fw2.o(.text+0x35df): In function `ipfw_ctl':
/usr/src/sys/netinet/ip_fw2.c:4684: undefined reference to `LibAliasInit'
ip_fw2.o(.text+0x3711):/usr/src/sys/netinet/ip_fw2.c:4711: undefined reference to `LibAliasSetMode'
ip_fw2.o(.text+0x3729):/usr/src/sys/netinet/ip_fw2.c:4712: undefined reference to `LibAliasSetAddress'
ip_fw2.o(.text+0x383e):/usr/src/sys/netinet/ip_fw2.c:2190: undefined reference to `LibAliasRedirectAddr'
ip_fw2.o(.text+0x38e0):/usr/src/sys/netinet/ip_fw2.c:2199: undefined reference to `LibAliasRedirectPort'
ip_fw2.o(.text+0x3942):/usr/src/sys/netinet/ip_fw2.c:2210: undefined reference to `LibAliasRedirectProto'
ip_fw2.o(.text+0x39fe):/usr/src/sys/netinet/ip_fw2.c:2226: undefined reference to `LibAliasAddServer'
ip_fw2.o(.text+0x3c6e):/usr/src/sys/netinet/ip_fw2.c:4746: undefined reference to `LibAliasUninit'
ip_fw2.o(.text+0x41fd): In function `ifaddr_change':
/usr/src/sys/netinet/ip_fw2.c:2085: undefined reference to `LibAliasSetAddress'
ip_fw2.o(.text+0x7f55): In function `ipfw_chk':
/usr/src/sys/netinet/ip_fw2.c:3502: undefined reference to `m_megapullup'
ip_fw2.o(.text+0x7fbd):/usr/src/sys/netinet/ip_fw2.c:3566: undefined reference to `LibAliasIn'
ip_fw2.o(.text+0x7fdc):/usr/src/sys/netinet/ip_fw2.c:3569: undefined reference to `LibAliasOut'
*** Error code 1

Stop in /usr/obj/usr/src/sys/FWNAT.
*** Error code 1

Stop in /usr/src.
*** Error code 1

Stop in /usr/src.

>Fix:
Suggest documentation in 
# $FreeBSD: src/sys/conf/NOTES,v 1.1454 2007/09/26 21:14:17 marius Exp $

indicating that LIBALIAS option is needed for IPFIREWALL_NAT (and/or which ever options cause it to be needed)

Apparently run across by others:

<http://lists.freebsd.org/pipermail/freebsd-stable/2007-October/037712.html>
<http://lists.freebsd.org/pipermail/freebsd-current/2006-December/068350.html>

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list