1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
IP Filter has been mostly tested under IRIX 6.2. It should work under IRIX 6.3
as well. Under IRIX 5.3, it has been successfully compiled and linked in the
kernel, but not tested. Compilation under IRIX >= 6.4 is not yet supported.
To build a kernel with the IP filter and install it on your system,
follow these steps:
1. edit the top-level Makefile to
a) comment-out the IPFLKM definition.
This means changing the line reading:
IPFLKM=-DIPFILTER_LKM
to
#IPFLKM=-DIPFILTER_LKM
b) select the system's compiler (cc)
This means changing the line reading:
CC=gcc
to
CC=cc
b) enable full optimization
This means changing the lines reading:
DEBUG=-g
CFLAGS=-I$$(TOP)
to
DEBUG=
CFLAGS=-O2 -I$$(TOP)
1. do "make irix" (Warning: GNU make is not supported, so if it has
been installed on your system, verify your path and/or do "which make"
to guarantee that IRIX's /sbin/make has precedence)
2. do "make install-irix" as root
(a new kernel will be automatically built)
3. determine the filtering rules and place them in /etc/ipf.conf
and /etc/ipnat.conf
4. do "init 6" as root to reboot with the new kernel
After restarting, the filter should be active and behaving according to
the rules loaded from /etc/ipf.conf and /etc/ipfnat.conf.
These files can be changed at any time, and reloaded using the
following command sequence:
# sh /etc/init.d/ipf stop; sh /etc/init.d/ipf start
To remove the IP Filter from your kernel, follow these steps:
1. Delete the /var/sysgen/boot/ipfilter.o file
# rm /var/sysgen/boot/ipfilter.o
2. If SGI's ipfilter.o had been previously installed, restore it
back to its original location
# mv /var/sysgen/boot/ipfilter.o.DIST /var/sysgen/boot/ipfilter.o
3. Build a new kernel
# /etc/autoconfig
4. Delete the /etc/rc2.d/S33ipf symbolic link
# rm /etc/rc2.d/S33ipf
5. Reboot
# init 6
ADDITIONAL NOTES:
- The IP filter uses the same kernel interface to the IP driver as
SGI's ipfilter. In fact, it is installed in place of SGI's
/var/sysgen/boot/ipfilter.o module, after renaming it (if installed)
to /var/sysgen/boot/ipfilter.o.DIST. You should ensure that SGI's
ipfilterd daemon is not running simultaneously, since this package uses
the same major device number.
- We have not tested IP Filter on a multiprocessor machine yet.
However, feel free to try it and send your experiences/patches
back to marc@CAM.ORG. SGI prescribes that kernel code be built on such
systems with -D_MP_NETLOCKS -DMP. Therefore, these flags should
probably be uncommented on the DFLAGS line of IRIX/Makefile if your
machine has more than one processor.
- It is also possible to build IP Filter as a dynamically loadable
kernel module (by retaining the IPFLKM=-DIPFILTER_LKM definition in the
top-level Makefile), but this is not recommended other than for testing
and debugging purposes, because the only possible method for dynamic
attachment to the IP stack (instruction patching) is highly dependent
on the processor architecture. The code provided has only been tested
with IP22 CPU boards and can sometime cause panics during loading due
to a potential race condition.
CREDITS:
IP Filter was ported to IRIX by Marc Boucher <marc@CAM.ORG>
Marc Boucher wishes to thank the
ICARI Institute (http://www.icari.qc.ca)
and
Aurelio Cascio <aurelio@toonboom.com>
for their financial support and testing facilities, respectively.
|
