svn commit: r225793 - in head/sys: modules/ipfw netinet/ipfw

Wed Nov 2 15:18:11 UTC 2011

On Wed, 2 Nov 2011, Sergey Kandaurov wrote:

> On 2 November 2011 16:53, Bjoern A. Zeeb <bz at freebsd.org> wrote:
>> On Wed, 2 Nov 2011, Sergey Kandaurov wrote:
>>
>>> On 27 September 2011 17:27, Bjoern A. Zeeb <bz at freebsd.org> wrote:
>>>>
>>>> Author: bz
>>>> Date: Tue Sep 27 13:27:17 2011
>>>> New Revision: 225793
>>>> URL: http://svn.freebsd.org/changeset/base/225793
>>>>
>>>> Log:
>>>>  Unbreak no-ip and no-inet6 module builds with ipfw.  For now continue to
>>>>  build the ip_fw_pfil.c hooks and ipfw even in case of no-ip under the
>>>>  assumption that the private L2 hook (which hopefully eventually will be
>>>> a
>>>>  pfil hook as well) can still be useful.
>>>>
>>>>  Allow building the module without inet as well.
>>>>
>>>>  Glanced at by:        jhb
>>>>  MFC after:    3 days
>>>>
>>>> Modified:
>>>>  head/sys/modules/ipfw/Makefile
>>>>  head/sys/netinet/ipfw/ip_fw_pfil.c
>>>>
>>>> Modified: head/sys/modules/ipfw/Makefile
>>>>
>>>> ==============================================================================
>>>> --- head/sys/modules/ipfw/Makefile      Tue Sep 27 13:20:41 2011
>>>>  (r225792)
>>>> +++ head/sys/modules/ipfw/Makefile      Tue Sep 27 13:27:17 2011
>>>>  (r225793)
>>>> @@ -8,7 +8,7 @@ KMOD=   ipfw
>>>>  SRCS=  ip_fw2.c ip_fw_pfil.c
>>>>  SRCS+= ip_fw_dynamic.c ip_fw_log.c
>>>>  SRCS+= ip_fw_sockopt.c ip_fw_table.c
>>>> -SRCS+= opt_inet6.h opt_ipfw.h opt_ipsec.h
>>>> +SRCS+= opt_inet.h opt_inet6.h opt_ipfw.h opt_ipsec.h
>>>>
>>>>  CFLAGS+= -DIPFIREWALL
>>>>  CFLAGS+= -I${.CURDIR}/../../contrib/pf
>>>> @@ -22,6 +22,10 @@ CFLAGS+= -I${.CURDIR}/../../contrib/pf
>>>>  #
>>>>
>>>>  .if !defined(KERNBUILDDIR)
>>>> +.if ${MK_INET_SUPPORT} != "no"
>>>> +opt_inet.h:
>>>> +       echo "#define INET 1" > ${.TARGET}
>>>> +.endif
>>>>  .if ${MK_INET6_SUPPORT} != "no"
>>>>  opt_inet6.h:
>>>>        echo "#define INET6 1" > ${.TARGET}
>>>>
>>>> Modified: head/sys/netinet/ipfw/ip_fw_pfil.c
>>>>
>>>> ==============================================================================
>>>> --- head/sys/netinet/ipfw/ip_fw_pfil.c  Tue Sep 27 13:20:41 2011
>>>>  (r225792)
>>>> +++ head/sys/netinet/ipfw/ip_fw_pfil.c  Tue Sep 27 13:27:17 2011
>>>>  (r225793)
>>>> @@ -31,11 +31,11 @@ __FBSDID("$FreeBSD$");
>>>>  #if !defined(KLD_MODULE)
>>>>  #include "opt_ipdn.h"
>>>>  #include "opt_inet.h"
>>>> +#include "opt_inet6.h"
>>>>  #ifndef INET
>>>>  #error IPFIREWALL requires INET.
>>>>  #endif /* INET */
>>>>  #endif /* KLD_MODULE */
>>>> -#include "opt_inet6.h"
>>>
>>> Hello.
>>>
>>> This chunk seems to stop building inet6 part of ipfw.ko w/ INET6 enabled
>>> kernel.
>>>
>>> Found by /etc/rc.d/ipfw restart:
>>> [...]
>>> /etc/rc.d/ipfw: WARNING: failed to enable IPv6 firewall
>>>
>>> i.e. sysctl net.inet6.ip6.fw.enable doesn't present.
>>>
>>> Reversion of this hunk fixed the problem.
>>> NO_INET[46] lints aren't tested though.
>>
>>
>> Just to double-check -- this only happens for you if you build and
>> use the module, not when you link it into the kernel?
>>
>> As in that case I do have:
>> lion3#  sysctl net.inet6.ip6.fw.enable net.inet6.ip6.fw.enable: 1
>
> ipfw is built and installed as a module as part of make kernel target.

Can you try to see if this fixes the problem?
http://people.freebsd.org/~bz/20111102-01-ipfw-kld.diff

Please not that in the module case we'd most likely also built out
some INET parts, not just INET6 once -- silently.

/bz

-- 
Bjoern A. Zeeb                                 You have to have visions!
          Stop bit received. Insert coin for new address family.