Re: compile PF in a DomU kernel?

[Manuel Bouyer <bouyer%antioche.eu.org@localhost>]

On Thu, Oct 22, 2009 at 07:36:41PM +0100, Philip wrote:
> Hello
> 
> I need to be able to use PF in a DomU kernel, but after some time trying
> and failing my understanding is that LKM doesn't work in a DomU, and I
> suppose modules have to be loaded with the kernel by Dom0 and all that?

No, you have to build modules for Xen (and not native x86), but there's
no support in the build infrastructure for this yet.

> In fact when I tried the DomU hung and I had to mount the image file and
> change the rc.conf back before I could boot it.
> 
> I'm not a xen expert at all as you can probably see.....
> 
> I'm thanking that the easiest thing to do is to compile a new DomU
> kernel with PF support built in, so that LKM isn't needed.

Yes.

> 
> Can anyone give me some guidance?  I have compiled Netbsd kernels before
> but not xen ones.

It's exactly the same as a native kernel; you'll have the XEN_* config
files in the arch/amd64/conf or arch/i386/conf directories.

> I think my domu is the one from
> http://ftp.netbsd.org/pub/NetBSD/NetBSD-5.0.1/i386/binary/kernel/netbsd-XEN3_DOMU.gz
> 
> I have read http://www.netbsd.org/docs/kernel/ and I'm guess that I use
> the conf file from cd /usr/src/sys/arch/<ARCH>/conf with conf=xen, keep
> everything the same but just add "options     PFIL_HOOKS      # pfil(9) packet
> filter hooks" as it says at http://www.netbsd.org/docs/network/pf.html
> or are there some other tricks?

I think you also need
pseudo-device pf
or something like that. And remove ipf.

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--