Subject: Compile kernel to use ipf(ilter) LKM mode???
To: None <tech-kern@netbsd.org, tech-net@netbsd.org>
From: Gene ENonymous <yancm@sdf.lonestar.org>
List: tech-kern
Date: 06/20/2006 11:53:08
This is a second plea for help on this issue. I'm crossposting
tech-kern and tech-net since it involves both.

I use NetBSD 2.1_Stable on a 600 MHz i386 w/700+MB ram...

I want to use ippool which is part of the ipfilter set of tools.
Unfortunately ippool implementation is broken in 2.1 branch and
apparently (sample size of one from my earlier cry for help)
ippool is also broken in NetBSD 3.x.

After early consultations with Darren Reed, my plan of attack
was to compile my kernel to use the LKM mode of operation.

Unfotunately, this has not been easy and Darren has apparently 
gotten too tied up to help me further.

What follows is a description of what I tried.

Which options do I need to turn off in my kernel config?

The first thing Darren mentioned is that I should turn off:
options         IPFILTER
and on:
options         IPFILTER_LKM

Unfortunately I had no: options IPFILTER.

My baseline kernel config had ONLY the following options and lines
related to ipf:

  options        IPFILTER_LOG    # ipmon(8) log support
  #options        IPFILTER_DEFAULT_BLOCK  # block all packets by default
  pseudo-device   ipfilter                # IP filter (firewall) and NAT

******

I compiled a kernel with: options IPFILTER_LKM

I had all the userland ip* files updated to 4.1.13...

When I tried the modload here's what I got:

clarity 11 # modload if_ipl.o
if_ipl.o(.text+0x15e24): In function `appr_check':
/usr/local/src/ipf/ip_fil4.1.13/BSD/NetBSD-2.1_STABLE-i386/../../ip_proxy.c:457:
multiple definition of `appr_check'
[1]   Segmentation fault (core dumped) ld -R /dev/ksyms...
modload: can't prelink `if_ipl.o' creating `if_ipl'
clarity 12 # ipf -V
ipf: IP Filter: v4.1.13 (396)
User/kernel version check failed
Kernel: IP Filter: v4.1.3
Running: no
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x10a
clarity 13 #

As you can see it appears the kernel was still built with ipf
even though I tried to remove it. Is there some way to turn it off?

Do I need to do something different with my /etc files?
Do I leave rc.conf as:
# Networking startup.
#
ipfilter=YES                                    # uses /etc/ipf.conf
ipnat=YES                                       # uses /etc/ipnat.conf
ipfs=NO                 ipfs_flags=""           # save/load ipnat and ipf
states

Do I leave sysctl.conf as:
net.inet.ip.forwarding=1
net.inet.tcp.mss_ifmtu=1
In my struggle to get lkm working, I have played around
with the following:
  options                IPFILTER_LKM    # add ipf LKM support
  #options        IPFILTER_LOOKUP # add support for ippool(5,8) in the kernel
  #options        IPFILTER_LOG    # ipmon(8) log support
  #options        IPFILTER_DEFAULT_BLOCK  # block all packets by default
  pseudo-device   ipfilter                # IP filter (firewall) and NAT

I tried commenting all of the options out one by one.

Even with them all coomented out, my kernel seemed to "mostly work"
(ipf -V said Kernel: IP Filter: v4.1.3) unless I commented the
pseudo device line?!?! By mostly work, ipf was able
to load rules, but then nat was broken.

What am I missing? Please help!!!!
--gene