ipfilter loading on 5.3

[Paul Mather]

On Mon, 8 Nov 2004 12:01:41 -0500, "dave" <dmehler26 at woh.rr.com> writes:

> Hello,
>     I believe i am having a configuration error. I've got a new 5.3
> box to
> which i'm atempting to get ipfilter going. I read the updated handbook
> and
> have added:
> 
> ipfilter_enable="YES"
> ipfilter_rules="/etc/ipf.rules"
> ipmon_enable="YES"
> ipmon_flags="-Dsvn"
> 
> to my rc.conf file. When i try to manually load up my rules file with:
> ipf -FA -f /etc/ipf.rules
>  i am getting an error "can not open no such device"
> I have not compiled anything for ipfilter in to the kernel as i had
> done
> previously i understood from the handbook that ipf was capable of
> being
> dynamically loaded and the rc.conf line would suffice.

I recently updated a system from 5.2.1 to 5.3 and had problems with
ipfilter (dynamically loading it, as you are above).  In my case, I
noticed this during boot, when ipfilter was being activated:

     link_elf: symbol in6_cksum undefined

The net effect was that the kernel module would not load, due to the
unresolved symbol.

In my case, I was using a custom kernel that lacked "options INET6". 
Re-building my kernel with that option added (i.e., with IPv6 support
enabled) fixed the problem and the ipfilter kernel module now works.

I'm guessing there's some kind of hidden dependency on IPv6 in 5.3 as
far as the ipfilter kernel module is concerned.  (This didn't seem to be
the case in 5.2.1, from what I remember.)

Cheers,

Paul.
-- 
e-mail: paul at gromit.dlib.vt.edu

"Without music to decorate it, time is just a bunch of boring production
 deadlines or dates by which bills must be paid."
        --- Frank Vincent Zappa