At Wed, 8 Dec 2021 15:32:24 -0000, yancm%sdf.org@localhost wrote: Subject: Re: backward compatibility: how far can it reasonably go? > > > "Greg A. Woods" <woods%planix.ca@localhost> writes: no, Greg Troxel wrote: > > I am unclear if ipf has been removed by default from current. > Even in NetBSD 9, ipf is not in the GENERIC kernel config. Well I'm running in Xen domUs, so not GENERIC but XEN3_DOMU, and indeed I'm running all custom kernel builds. > Was the kernel compiled to use ipf? Clearly IPF is in the 9.99.81 kernel I booted, since it's functions are visible in the backtrace of the crash :-) If it were not compiled in, I think/hope it would not crash -- just the ipf tool would return an error and complain about something like ENXIO or maybe ENODEV. So if IPF were the only problem I would try taking it out temporarily, but with ifconfig also useless, I'll probably try the upgrade from the dom0. > e.g. add to kernel config: > options IPFILTER_LOG # ipmon(8) log support > options IPFILTER_LOOKUP # ippool(8) support > options IPFILTER_COMPAT # Compat for IP-Filter > pseudo-device ipfilter # IP filter (firewall) and NAT Yes, all there (and BRIDGE_IPF as well, though I haven't used that feature yet, and it would likely only be needed in the dom0) Indeed an identical kernel is already running IPF in another domU instance, but of course with the corresponding 9.99.81 userland. It works as well as ever -- I use it with blocklistd, as well as for basic firewalling (most of my systems are mostly on a private network with only one or two ports forwarded to them from the main firewall and so otherwise using the main FW's NAT for outgoing connections only). -- Greg A. Woods <gwoods%acm.org@localhost> Kelowna, BC +1 250 762-7675 RoboHack <woods%robohack.ca@localhost> Planix, Inc. <woods%planix.com@localhost> Avoncote Farms <woods%avoncote.ca@localhost>
Attachment:
pgp_1JOul00Ff.pgp
Description: OpenPGP Digital Signature