Re: No ipf in RPI2 evbarm 7.0.2 kernel?

To: Emilian Bold <emilian.bold%gmail.com@localhost>
Subject: Re: No ipf in RPI2 evbarm 7.0.2 kernel?
From: Harold Gutch <logix%foobar.franken.de@localhost>
Date: Thu, 5 Jul 2018 09:44:49 +0200

On Thu, Jul 05, 2018 at 09:17:08AM +0300, Emilian Bold wrote:
> I now see in /var/log/messages this info:
> kern.module.path=/stand/evbarm/7.0/modules
> 
> I have no /stand/evbarm/7.0/modules folder.
> 
> I probably need modules.tgz from
> http://ftp.netbsd.org/pub/NetBSD/NetBSD-7.0.2/evbarm-earmv7hf/binary/sets/
> (considering uname gives me 7.0.2 NetBSD 7.0.2 (RPI2) #0: Mon Dec 19
> 22:31:19 UTC 2016  root@netbsd:/usr/obj/sys/arch/evbarm/compile/RPI2
> evbarm).
> 
> Except modules.tgz does not have any ip* module in there.
> 
> It seems 8.0RC2
> (http://ftp.netbsd.org/pub/NetBSD/NetBSD-8.0_RC2/evbarm-earmv7hf/binary/sets/
> ) does have /stand/evbarm/8.0/modules/ipl/ipl.kmod in there but not
> ipf. I've read that ipl is only for logging (so for ipmon) but not
> sure if ipf works without it or not.

I think what you are referring to here is "man ipl" which documents
the ipl(4) device.  The ipl *kernel module* (ipl.kmod) is the "full"
ipfilter module.  In other words, yes, that is the correct module (not
"ipf" as mentioned in my other mail), just that you need one built for
7.0.2.  Unfortunately that module was not yet included in netbsd-7.

> So... is it possible to get ipf without upgrading the whole system?

The official way is to compile your own kernel (as already suggested
by Manuel) - the alternative is to build the module more or less
manually following the way it is done in netbsd-8 in HEAD (see
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/modules/ipl/Makefile ).

But there is no way of getting ipf to work by plain configuration.
Your kernel simply does not support it.

Alternatively, perhaps pf will work for you?  A pf module is available
in netbsd-7.

> I find it odd that the /sbin/ipf binary is included... shouldn't it
> run out of the box then?

Well, one answer to that is that if the userland tool was missing, it
wouldn't be enough to just recompile your kernel (that's a fairly
standard procedure), you additionally would have to compile the
userland tool - and the only official way of compiling base userland
tools is by compiling the *entire* userland.  Also, quite a few other
evbarm kernels are shipped with ipfilter built-in, and all these share
the same userland, so the *exact same* /sbin/ipf that you are seeing
there will work for them.

The real question probably is why pseudo-device ipfilter is commented
out in RPI.  I don't mind the defaults, I don't think recompiling the
kernel is a big deal, but I can see why you might want everything to
work out of the box without requiring you to set up a development
environment.

  Harold

Follow-Ups:
- Re: No ipf in RPI2 evbarm 7.0.2 kernel?
  - From: maya
- Re: No ipf in RPI2 evbarm 7.0.2 kernel?
  - From: Emilian Bold

References:
- No ipf in RPI2 evbarm 7.0.2 kernel?
  - From: Emilian Bold
- Re: No ipf in RPI2 evbarm 7.0.2 kernel?
  - From: Harold Gutch
- Re: No ipf in RPI2 evbarm 7.0.2 kernel?
  - From: Emilian Bold

Prev by Date: Re: No ipf in RPI2 evbarm 7.0.2 kernel?
Next by Date: Re: No ipf in RPI2 evbarm 7.0.2 kernel?
Previous by Thread: Re: No ipf in RPI2 evbarm 7.0.2 kernel?
Next by Thread: Re: No ipf in RPI2 evbarm 7.0.2 kernel?
Indexes:

Home | Main Index | Thread Index | Old Index