IP Filter has been mostly tested under IRIX 6.2. It should work under IRIX 6.3 as well. Under IRIX 5.3, it has been successfully compiled and linked in the kernel, but not tested. Compilation under IRIX >= 6.4 is not yet supported. To build a kernel with the IP filter and install it on your system, follow these steps: 1. edit the top-level Makefile to a) comment-out the IPFLKM definition. This means changing the line reading: IPFLKM=-DIPFILTER_LKM to #IPFLKM=-DIPFILTER_LKM b) select the system's compiler (cc) This means changing the line reading: CC=gcc to CC=cc b) enable full optimization This means changing the lines reading: DEBUG=-g CFLAGS=-I$$(TOP) to DEBUG= CFLAGS=-O2 -I$$(TOP) 1. do "make irix" (Warning: GNU make is not supported, so if it has been installed on your system, verify your path and/or do "which make" to guarantee that IRIX's /sbin/make has precedence) 2. do "make install-irix" as root (a new kernel will be automatically built) 3. determine the filtering rules and place them in /etc/ipf.conf and /etc/ipnat.conf 4. do "init 6" as root to reboot with the new kernel After restarting, the filter should be active and behaving according to the rules loaded from /etc/ipf.conf and /etc/ipfnat.conf. These files can be changed at any time, and reloaded using the following command sequence: # sh /etc/init.d/ipf stop; sh /etc/init.d/ipf start To remove the IP Filter from your kernel, follow these steps: 1. Delete the /var/sysgen/boot/ipfilter.o file # rm /var/sysgen/boot/ipfilter.o 2. If SGI's ipfilter.o had been previously installed, restore it back to its original location # mv /var/sysgen/boot/ipfilter.o.DIST /var/sysgen/boot/ipfilter.o 3. Build a new kernel # /etc/autoconfig 4. Delete the /etc/rc2.d/S33ipf symbolic link # rm /etc/rc2.d/S33ipf 5. Reboot # init 6 ADDITIONAL NOTES: - The IP filter uses the same kernel interface to the IP driver as SGI's ipfilter. In fact, it is installed in place of SGI's /var/sysgen/boot/ipfilter.o module, after renaming it (if installed) to /var/sysgen/boot/ipfilter.o.DIST. You should ensure that SGI's ipfilterd daemon is not running simultaneously, since this package uses the same major device number. - We have not tested IP Filter on a multiprocessor machine yet. However, feel free to try it and send your experiences/patches back to marc@CAM.ORG. SGI prescribes that kernel code be built on such systems with -D_MP_NETLOCKS -DMP. Therefore, these flags should probably be uncommented on the DFLAGS line of IRIX/Makefile if your machine has more than one processor. - It is also possible to build IP Filter as a dynamically loadable kernel module (by retaining the IPFLKM=-DIPFILTER_LKM definition in the top-level Makefile), but this is not recommended other than for testing and debugging purposes, because the only possible method for dynamic attachment to the IP stack (instruction patching) is highly dependent on the processor architecture. The code provided has only been tested with IP22 CPU boards and can sometime cause panics during loading due to a potential race condition. CREDITS: IP Filter was ported to IRIX by Marc Boucher Marc Boucher wishes to thank the ICARI Institute (http://www.icari.qc.ca) and Aurelio Cascio for their financial support and testing facilities, respectively.