Ipfilter broken on -current
Hi all, since a couple of days ipfilter is broken for -current. kldload ipl.ko gives: link_elf: symbol pfil_head_get undefined And the IPFILTER option inside the kernel-config results in: cc -c -O -pipe -mcpu=pentiumpro -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -std=c99 -nostdinc -I- -I. -I/usr/src/sys -I/usr/src/sys/contrib/dev/acpica -I/usr/src/sys/contrib/ipfilter -I/usr/src/sys/contrib/dev/ath -I/usr/src/sys/contrib/dev/ath/freebsd -D_KERNEL -include opt_global.h -fno-common -finline-limit=15000 -fno-strict-aliasing -mno-align-long-strings -mpreferred-stack-boundary=2 -ffreestanding -Werror /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c: In function `fr_check_wrapper': /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c:319: error: `PFIL_OUT' undeclared (first use in this function) /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c:319: error: (Each undeclared identifier is reported only once /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c:319: error: for each function it appears in.) /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c: In function `iplattach': /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c:376: warning: unused variable `ph_inet' /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c: At top level: /usr/src/sys/contrib/ipfilter/netinet/ip_fil.c:317: warning: `fr_check_wrapper' defined but not used Best regards -- Udo Schweigert, Siemens AG | Voice : +49 89 636 42170 CT IC CERT, Siemens CERT | Fax: +49 89 636 41166 D-81730 Muenchen / Germany | email : [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ipfilter broken on -current
On Saturday 04 October 2003 11:21, Udo Schweigert wrote: Hi all, since a couple of days ipfilter is broken for -current. kldload ipl.ko gives: link_elf: symbol pfil_head_get undefined And the IPFILTER option inside the kernel-config results in: (snip) You should read /usr/src/UPDATING. Arjan ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Ipfilter broken on -current
On Sat, Oct 04, 2003 at 13:01:31 +0200, Arjan van Leeuwen wrote: On Saturday 04 October 2003 11:21, Udo Schweigert wrote: Hi all, since a couple of days ipfilter is broken for -current. kldload ipl.ko gives: link_elf: symbol pfil_head_get undefined And the IPFILTER option inside the kernel-config results in: (snip) You should read /usr/src/UPDATING. Arrgs, yes I should. Anyway: it doesn't load the ipl.ko when booting and ipfilter_enable=YES. Best regards -- Udo Schweigert, Siemens AG | Voice : +49 89 636 42170 CT IC CERT, Siemens CERT | Fax: +49 89 636 41166 D-81730 München / Germany| email : [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFILTER broken as of world/kernel a few hours old
leafy wrote: With IPFILTER enabled in the kernel, all socket(2) calls inbound/outbound are very slow. A normal SSH connection within the same subnet takes 5 minutes to connect. Anything I can provide to pin down the problem? Are you sure _all_ socket calls are slow? 5.0-R had reverse resolution for sshd (which happened no matter what the configuration said) run inside chrooted /var/empty, so if no /var/empty/etc/resolv.conf, nsswitch.conf, hosts, etc, existed, it would look up 127.0.0.1 (you can tcpdump -ni lo0 on the server to see if it does that when a new ssh connection arrives). If blackhole or firewall was used, no answer would be returned to this dns request, and the ssh login would lag for a long time. BTW, what font are you using? When on FreeBSD, with Mozilla, your messages are all but unreadable. -- Daniel C. Sobral Gere^ncia de Operac,o~es Divisa~o de Comunicac,a~o de Dados Coordenac,a~o de Seguranc,a TCO Fones: 55-61-313-7654/Cel: 55-61-9618-0904 E-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: IPFILTER broken as of world/kernel a few hours old
On Thu, Mar 06, 2003 at 11:28:45AM -0300, Daniel C. Sobral wrote: Are you sure _all_ socket calls are slow? 5.0-R had reverse resolution for sshd (which happened no matter what the configuration said) run All, including ssh. Only ICMP responds in time. connection arrives). If blackhole or firewall was used, no answer would be returned to this dns request, and the ssh login would lag for a long time. I using user ppp right now on the same box, with no above problem. Probably something in the recent ng_* commit interfered with IPFILTER. BTW, what font are you using? When on FreeBSD, with Mozilla, your messages are all but unreadable. -- Daniel C. Sobral Heh, I don't use Mozilla at all ;) But what message are you referring to ? Jiawei -- Without the userland, the kernel is useless. --inspired by The Tao of Programming To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: IPFILTER broken as of world/kernel a few hours old
On Thu, Mar 06, 2003 at 11:22:29PM +0800, leafy wrote: On Thu, Mar 06, 2003 at 11:28:45AM -0300, Daniel C. Sobral wrote: Are you sure _all_ socket calls are slow? 5.0-R had reverse resolution for sshd (which happened no matter what the configuration said) run All, including ssh. Only ICMP responds in time. I noticed that port 53 UDP (yes, UDP) gets through fine, though. Jiawei -- Without the userland, the kernel is useless. --inspired by The Tao of Programming To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: IPFILTER broken as of world/kernel a few hours old
leafy wrote: On Thu, Mar 06, 2003 at 11:22:29PM +0800, leafy wrote: On Thu, Mar 06, 2003 at 11:28:45AM -0300, Daniel C. Sobral wrote: Are you sure _all_ socket calls are slow? 5.0-R had reverse resolution for sshd (which happened no matter what the configuration said) run All, including ssh. Only ICMP responds in time. I noticed that port 53 UDP (yes, UDP) gets through fine, though. Try disabling delayed ACK in the TCP stack; it's a sysctl. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: IPFILTER broken as of world/kernel a few hours old
On Thu, Mar 06, 2003 at 09:00:22AM -0800, Terry Lambert wrote: I noticed that port 53 UDP (yes, UDP) gets through fine, though. Try disabling delayed ACK in the TCP stack; it's a sysctl. -- Terry Been there, done that. No difference though. Jiawei -- Without the userland, the kernel is useless. --inspired by The Tao of Programming To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
IPFILTER broken as of world/kernel a few hours old
With IPFILTER enabled in the kernel, all socket(2) calls inbound/outbound are very slow. A normal SSH connection within the same subnet takes 5 minutes to connect. Anything I can provide to pin down the problem? Jiawei -- Without the userland, the kernel is useless. --inspired by The Tao of Programming To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-current in the body of the message
Re: ipfilter broken?
On Tue, Feb 13, 2001 at 04:00:26PM +0800, Donny Lee wrote: Dag-Erling Smorgrav wrote: ===ipfilter make: don't know how to make machine/lock.h Stop. *** Error code 2 Looks like a stale dependency file to me. Try 'make cleandir' twice, followed by the usual 'make depend make make install'. Yes, but got no luck, stops at the same place.:) cd /sys/compile/YOURKERNELFILE rm -rf modules make depend make To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ipfilter broken?
On Tue, Feb 13, 2001 at 05:18:04AM +0100, Dag-Erling Smorgrav wrote: Donny Lee [EMAIL PROTECTED] writes: ===ipfilter make: don't know how to make machine/lock.h Stop. *** Error code 2 Looks like a stale dependency file to me. Try 'make cleandir' twice, That only works in /usr/src userland, not kernel. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ipfilter broken?
"David O'Brien" [EMAIL PROTECTED] writes: On Tue, Feb 13, 2001 at 05:18:04AM +0100, Dag-Erling Smorgrav wrote: Donny Lee [EMAIL PROTECTED] writes: ===ipfilter make: don't know how to make machine/lock.h Stop. *** Error code 2 Looks like a stale dependency file to me. Try 'make cleandir' twice, That only works in /usr/src userland, not kernel. This is in a module build, and modules use the OBJDIR stuff so 'cleandir' had better work. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ipfilter broken?
On Tue, Feb 13, 2001 at 11:15:24AM +0100, Dag-Erling Smorgrav wrote: "David O'Brien" [EMAIL PROTECTED] writes: On Tue, Feb 13, 2001 at 05:18:04AM +0100, Dag-Erling Smorgrav wrote: Donny Lee [EMAIL PROTECTED] writes: ===ipfilter make: don't know how to make machine/lock.h Stop. *** Error code 2 Looks like a stale dependency file to me. Try 'make cleandir' twice, That only works in /usr/src userland, not kernel. This is in a module build, and modules use the OBJDIR stuff so 'cleandir' had better work. Only if the kernel Makefile (which shells out a make on the modules Makefile), knows about the "cleandir" target. Remember where the cwd is for the person wanting to do this (assuming defaults). What you suggest will only work because I was forsitefull enough not that long ago to think that someone might actually try ``make cleandir'' and want something to happen. But ``make cleandir'' will only act in the modules build dir, it does not imply a `make clean' for the kernel. -- -- David ([EMAIL PROTECTED]) GNU is Not Unix / Linux Is Not UniX To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ipfilter broken?
David O'Brien wrote: Looks like a stale dependency file to me. Try 'make cleandir' twice, followed by the usual 'make depend make make install'. Yes, but got no luck, stops at the same place.:) cd /sys/compile/YOURKERNELFILE rm -rf modules make depend make thanks, it works this way. By doing so, I also noticed that, the general procedule i used to take: cd /sys/i386/conf config -r mykernel cd ../../compile/mykernel make depend all install the -r option in config kernel is no longer exist? -- // Donny To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ipfilter broken?
Donny Lee [EMAIL PROTECTED] writes: By doing so, I also noticed that, the general procedule i used to take: cd /sys/i386/conf config -r mykernel ^^ No point. cd ../../compile/mykernel make depend all install ^^ Wrong. It only accidentally works because you always use 'config -r'. The correct command is 'make depend make make install'. If you do 'make depend all', the dependency information generated by the 'depend' target is ignored by the 'all' target. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ipfilter broken?
Dag-Erling Smorgrav wrote: By doing so, I also noticed that, the general procedule i used to take: cd /sys/i386/conf config -r mykernel ^^ No point. -r removes objects generated by a previous kernel config, i guess. cd ../../compile/mykernel make depend all install ^^ Wrong. It only accidentally works because you always use 'config -r'. The correct command is 'make depend make make install'. If you do 'make depend all', the dependency information generated by the 'depend' target is ignored by the 'all' target. -- // Donny To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ipfilter broken?
Donny Lee [EMAIL PROTECTED] writes: Dag-Erling Smorgrav wrote: config -r mykernel No point. -r removes objects generated by a previous kernel config, i guess. Still no point. Unless your tree is hosed, make(1) takes care of that, as long as you don't screw up by running all three targets at once so it never has a change to get the dependencies right. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
ipfilter broken?
Hi there, I'm not sure if this related to the thread of -current these days. my world builds fine with the latest cvsup, maybe only 1 or 2 hrs ago. no more luck, my kernel building stoped here: ===ipfilter make: don't know how to make machine/lock.h Stop. *** Error code 2 Stop in /usr/src/sys/modules. *** Error code 1 Stop in /usr/obj/usr/src/sys/GENERIC *** Error code 1 Stop in /usr/src *** Error code 1 -- // Donny To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ipfilter broken?
Donny Lee [EMAIL PROTECTED] writes: ===ipfilter make: don't know how to make machine/lock.h Stop. *** Error code 2 Looks like a stale dependency file to me. Try 'make cleandir' twice, followed by the usual 'make depend make make install'. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ipfilter broken?
Dag-Erling Smorgrav wrote: ===ipfilter make: don't know how to make machine/lock.h Stop. *** Error code 2 Looks like a stale dependency file to me. Try 'make cleandir' twice, followed by the usual 'make depend make make install'. Yes, but got no luck, stops at the same place.:) -- // Donny To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
