netbsd-users: Re: problems with pf

Subject: Re: problems with pf
To: None <netbsd-users@netbsd.org>
From: Peter Postma <peter@pointless.nl>
List: netbsd-users
Date: 12/26/2005 17:39:00
On Mon, Dec 26, 2005 at 11:29:49AM -0500, George Georgalis wrote:
> Congratulations on 3.0, to all involved!
> 
> I am having a problem with pf however.
> 
> tiva# pfctl -e -f /etc/pf.conf
> No ALTQ support in kernel
> ALTQ related functions disabled
> pfctl: DIOCADDRULE: Operation not supported by device
> 
> my understanding is DIOCADDRULE is caused by kernel and kernel
> source mismatch when building /usr/pkgsrc/security/pflkm which
> is odd since this is a netbsd-3 GENERIC (with fresh /usr/src) +
> pkgsrc-2005Q3. Here are all the meticulous details because I'm
> not sure that I'm doing this right.
> 

The GENERIC kernels does not enable pf by default. You should either load
pf as LKM (modload /usr/lkm/pf.o) or add pf to your kernel config and
rebuild your kernel. On 3.0, you should not need pflkm from pkgsrc because
it's included in base now.

> I was able to build pflkm and load the module okay, so I decided
> to build a pf enabled kernel to resolve the problem. I've tried
> a modified GENERIC adjustkernel, and then a minimal adjusted
> GENERIC, here's the diff
> 
> tiva# diff GENERIC TIVA.pf                                                                     
> 198c198
> < #options      ALTQ            # Manipulate network interfaces' output queues
> ---
> > options       ALTQ            # Manipulate network interfaces' output queues
> 200c200
> < #options      ALTQ_CBQ        # Class-Based Queueing
> ---
> > options       ALTQ_CBQ        # Class-Based Queueing
> 1260,1262c1260,1262
> < #options      BRIDGE_IPF              # bridge uses IP/IPv6 pfil hooks too
> < #pseudo-device        pf                      # PF packet filter
> < #pseudo-device        pflog                   # PF log if
> ---
> > options       BRIDGE_IPF              # bridge uses IP/IPv6 pfil hooks too
> > pseudo-device pf                      # PF packet filter
> > pseudo-device pflog                   # PF log if
> 
> with a clean compile directory, I do:
> 
> tiva# config TIVA.pf
> tiva# cd ../compile/TIVA.pf/ && make depend
> tiva# make
> 
> and, every time, that errors with:
> 
[snip]
> 
> Have I not included an important kernel option?
> 

No, you've added too much options ;-)
pf currently does not compile with the ALTQ options, because pf uses a
different ALTQ. There are currently two solutions: load pf as LKM and
compile the old ALTQ into the kernel, or apply my ALTQ patches[1] to the
kernel.

[1] http://nedbsd.nl/~ppostma/pf/altq.html

-- 
Peter Postma