Subject: IPF on bridge, backport to 1.6 (Was Re: Replacing oddly networked NT machine)
To: Stephen Borrill <netbsd@precedence.co.uk>
From: Pavel Cahyna <pcah8322@artax.karlin.mff.cuni.cz>
List: tech-net
Date: 02/18/2003 13:01:50
>
> Looks like I asked at the right time then!
>
> Now, what's people feeling about how easy it will be to manually pull
> these changes into 1.6?
OK. Here are (hopefully) deatailed instructions on backporting it to
1.6.
The three patches needed are included at the end of this mail.
Hope this helps.
Bye Pavel
### Procedure for backporting the firewall on bridge(4) to NetBSD 1.6 .
### supposes you have kernel sources in /usr/src/sys .
### get the updates for the kernel. Includes some other minor changes to
### bridge(4) as well.
# cd /usr/src
# cvs update -rHEAD sys/net/if_bridge.c
# cvs update -rHEAD sys/net/if_bridgevar.h
# cvs update -r1.42 sys/netinet6/in6_ifattach.c
# cvs update -r1.20 sys/net/if_types.h
### and for the brconfig utility:
# cd ..
# cvs co -rHEAD src/sbin/brconfig
### declare the BRIDGE_IPF variable properly. This should be done for -current
### version too, I believe.
# cd src
# cd sys/conf
# patch < patch-files
# cd ../net
# patch < patch-if_bridge1
### remove code which depends on API only in current.
### FIXME: is this correct?
# patch < patch-if_bridge2
### necessary for brconfig compilation
# make includes
### compile brconfig, in 1.6 utilities outside /usr are linked statically.
# cd /usr/src/sbin/brconfig
# LDSTATIC=-static make
# mv /sbin/brconfig /sbin/brconfig.old
# cp brconfig /sbin
### edit kernel options:
add
options BRIDGE_IPF
to your kernel config file. run config, make depend and make.
Change your /etc/ifconfig.bridge0 file so the invocation of brconfig has
the ipf parameter, in my case:
!brconfig $int add gsip0 add gsip1 ipf up
reboot with the new kernel.
Patches used:
patch-files:
--- files.preperseant Sun Jun 2 03:53:09 2002
+++ files Mon Feb 17 14:44:01 2003
@@ -83,6 +83,7 @@
defflag NATM # "native" ATM protocols
defflag PFIL_HOOKS # pfil(9)
defflag IPFILTER_LOG # logging of ip packets
+defflag opt_bridge_pfil.h BRIDGE_IPF # firewalling for bridge(4)
defflag opt_ppp.h PPP_DEFLATE PPP_BSDCOMP PPP_FILTER
# Include deflate or bsd
# compression, enable pppd
patch-if_bridge1:
--- if_bridge.c.HEAD Tue Feb 18 10:21:02 2003
+++ if_bridge.c Mon Feb 17 14:43:13 2003
@@ -87,6 +87,8 @@
#include "bpfilter.h"
#include "rnd.h"
+#include "opt_bridge_pfil.h"
+
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/mbuf.h>
patch-if_bridge2:
--- if_bridge.c.opt Tue Feb 18 10:20:17 2003
+++ if_bridge.c Tue Feb 18 11:07:10 2003
@@ -2015,7 +2015,8 @@
if (*mp == NULL)
return -1;
-
+ /* does not apply for 1.6 */
+#if 0
if (IP_HDR_ALIGNED_P(mtod(m, caddr_t)) == 0) {
if ((m = m_copyup(m, sizeof(struct ip),
(max_linkhdr + 3) & ~3)) == NULL) {
@@ -2023,7 +2024,9 @@
ipstat.ips_toosmall++;
goto bad;
}
- } else if (__predict_false(m->m_len < sizeof (struct ip))) {
+ } else
+#endif
+ if (__predict_false(m->m_len < sizeof (struct ip))) {
if ((m = m_pullup(m, sizeof (struct ip))) == NULL) {
ipstat.ips_toosmall++;
goto bad;
@@ -2118,6 +2121,8 @@
* it. Otherwise, if it is aligned, make sure the entire base
* IPv6 header is in the first mbuf of the chain.
*/
+ /* does not apply for 1.6 */
+#if 0
if (IP6_HDR_ALIGNED_P(mtod(m, caddr_t)) == 0) {
struct ifnet *inifp = m->m_pkthdr.rcvif;
if ((m = m_copyup(m, sizeof(struct ip6_hdr),
@@ -2127,7 +2132,9 @@
in6_ifstat_inc(inifp, ifs6_in_hdrerr);
goto bad;
}
- } else if (__predict_false(m->m_len < sizeof(struct ip6_hdr))) {
+ } else
+#endif
+ if (__predict_false(m->m_len < sizeof(struct ip6_hdr))) {
struct ifnet *inifp = m->m_pkthdr.rcvif;
if ((m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
ip6stat.ip6s_toosmall++;