I've been trying to get ipfilter set up on an old SPARCStation 4 running Solaris 2.6 for the past few days. Last night I succeeded, but only by giving up on trying to get a working pfil compiled and switching to version 3.4.35.
The version of pfil I was trying to get running was 2.1.11. Before I stopped, I managed to locate all the compile problems and portions that were giving me run-time errors. In case they are of some help (either in resolving this problem or helping someone else), I've listed my changes with explanations below. The one problem I had left was that pfil would not attach to either of my configured Ethernet devices (le and qe). Both devices had entries in /etc/opt/pfil/iu.ap. During reboot, dev and devices would be reconfigured, but when I logged in, "strconf < /dev/le" would only return "le". The command "ndd /dev/pfil qif_status" would only return the header line. The SPARCStation has relatively limited drive space (~1.5 GB) and memory (64 MB) and an incredibly ancient and slow 1x CD-ROM drive, so I am using precompiled 2.6 version of gcc-2.95.2 from http://www.ibiblio.org/pub/packages/solaris/sparc/ (I am using /usr/ccs/bin/make, though). Luckily, I also have access to a development machine at work running Solaris 2.6. There, I used a SUN Workshop V5.0 cc compiler and had machines with Solaris 7 & 8 available to compare against. Unfortunately, while I could build the package there, I could not install it. I ended up modifying three files under pfil/SunOS: os.h, qif.c and pkt.c. Here are the changes I made and why, presented diff style against the original files from the pfil 2.1.11 src tarball: os.h: 44a45 > #if SOLARIS2 >= 7 45a47,49 > #else > extern int qif_timeout; > #endif qif_timeout is used with the kernel functions timeout and untimeout. In Solaris 2.6, timeout returns an int and untimeout takes an int. The change to timeout_id_t (a void *) was in Solaris 7. qif.c: 140a141 > #if SOLARIS2 >= 7 141a143,145 > #else > int qif_timeout = NULL; > #endif 1030a1035 > #if SOLARIS2 >= 8 1031a1037 > #endif The additions around line 141 correspond to the changes to qif_timeout in os.h. The Solaris 8 wrapper around original line 1031 is to prevent a run-time error. It's a call to ire_refrele, which isn't present until Solaris 8. Since it's wrapped everywhere else it's called, I'm guessing this is just one that slipped through. pkt.c: 246c246,247 < sif = ire_lookup(src); --- > sif = ire_ftable_lookup(addr, 0, 0, IRE_INTERFACE, NULL, NULL, 0, > MATCH_IRE_TYPE); 271c272 < src = ipif->ipif_local_addr; --- > src.s_addr = ipif->ipif_local_addr; The change at 271 is fairly minor; src is a union. I can't even recall at the moment whether I got an actual error or just a warning on that one. In any case, changing src to src.s_addr cleared it up. The one change I'm least sure about is the one at 246. I couldn't find any documentation on any of these ire_*_lookup functions, so was going mostly by what could be gleaned from the header file <inet/ip_ire.h>. I was not able to find any function named simply ire_lookup in any of the standard Solaris libraries on 2.6, 7 or 8. I did find (as I see others have, in browsing the mailing list archives) that the function ire_ftable_lookup (used in the SOLARIS2 >= 8 portion) IS available in Solaris <=7 as well, but with one less parameter than the Solaris >=8 version. I am assuming that it is essentially the same function, but since I don't know what either version does, I may be wrong. There is another place in pkt.c and one in qif.c where ire_lookup may be compiled in, but both are wrapped in the "#else" portion of an "#ifdef MATCH_IRE_DSTONLY", so were not compiled into my version. Nonetheless, I figured I should point it out, in case it's affecting someone else. Considering that all these (except possibly the last one) are fairly minor changes, I can't imagine any of them breaking pfil. Except for the one about ire_refrele, I'm fairly certain I had to make all of them to get a successful compilation under either cc or gcc. My guess would be that some part of the code essential to successful attachment is wrapped in a preprocessor directive that omits it from a 2.6 compile, but it could just as easily be something in the 2.6 libraries, or several other things. If I could install it on a 2.6 system at work, or had more time to go code diving, I might be able to spot something. At the moment, though, I am relying on the kindness of strangers. :) I've seen it asked here before, but never answered: has ANYONE gotten pfil running on a Solaris 2.6 system?
