Allow me to share a few notes that might help others before sharing my
woes. I started off with plans to run the latest stable ipfilter
release on 64-bit RHEL (ES 4 U6). The kernel is 2.6.9-67.ELsmp x86_64.
Compilation needed the following patches (the first two are actually
from another post on this list; the Makefile one I had to hack up
myself):
# diff -u ip_state.c.orig ip_state.c
--- ip_state.c.orig 2009-04-29 18:42:51.000000000 -0700
+++ ip_state.c 2009-04-29 18:40:24.000000000 -0700
@@ -221,7 +221,8 @@
* XXX - ips_seed[X] should be a random number of sorts.
*/
#if !defined(NEED_LOCAL_RAND) && defined(_KERNEL)
- ips_seed[i] = arc4random();
+ /*ips_seed[i] = arc4random();*/
+ ips_seed[i] = 1234;
#else
ips_seed[i] = ((u_long)ips_seed + i) * fr_statesize;
ips_seed[i] += tv.tv_sec;
# diff -u ip_nat.c.orig ip_nat.c
--- ip_nat.c.orig 2009-04-29 18:42:59.000000000 -0700
+++ ip_nat.c 2009-04-29 18:40:36.000000000 -0700
@@ -2031,7 +2031,8 @@
if (np->in_flags & IPN_SEQUENTIAL) {
port = np->in_pnext;
} else {
- port = ipf_random() % (ntohs(np->in_pmax) -
+ /*port = ipf_random() % (ntohs(np->in_pmax) -*/
+ port = 12345 % (ntohs(np->in_pmax) -
ntohs(np->in_pmin));
port += ntohs(np->in_pmin);
}
# diff -u Makefile.orig Makefile
--- Makefile.orig 2009-04-30 07:51:38.000000000 -0700
+++ Makefile 2009-04-30 07:51:58.000000000 -0700
@@ -109,8 +109,8 @@
$(OBJ)/ipfstat: $(FILS) $(OBJ)/libipf.a $(TOP)/ip_fil.h $(TOP)/ipf.h \
$(TOP)/ip_frag.h $(TOP)/ip_compat.h $(TOP)/ip_state.h \
$(TOP)/ip_nat.h
- -if [ ! -f /usr/lib/libelf.so ] ; then \
- (cd /usr/lib; a=`echo libelf.so.*|head -n 1`; \
+ -if [ ! -f /usr/lib64/libelf.so ] ; then \
+ (cd /usr/lib64; a=`echo libelf.so.*|head -n 1`; \
if [ "$$a" != "" ] ; then ln -s $$a libelf.so; fi) \
fi
$(CC) $(CCARGS) $(FILS) -o $@ -lelf $(LIBS) $(STATETOP_LIB)
@@ -124,8 +124,8 @@
ln -s `pwd`/ipftest $(TOP)
$(OBJ)/ipnat: $(IPNAT) $(OBJ)/libipf.a
- -if [ ! -f /usr/lib/libelf.so ] ; then \
- (cd /usr/lib; a=`echo libelf.so.*|head -n 1`; \
+ -if [ ! -f /usr/lib64/libelf.so ] ; then \
+ (cd /usr/lib64; a=`echo libelf.so.*|head -n 1`; \
if [ "$$a" != "" ] ; then ln -s $$a libelf.so; fi) \
fi
$(CC) $(CCARGS) $(IPNAT) -o $@ $(LIBS) -lelf $(LEXLIB)
Note that iptables firewall and SELinux are both disabled.
So as soon as I start ipfilter (after touching empty files
/etc/ipf.conf and /etc/ipnat.conf), all networking is lost. I cannot
ping in nor can I ping out. The console is okay. pinging out leads to
messages like "sendmsg: Operation not permitted" from this box.
ipfstat shows no blocks (all stats are 0, except the ticks). ipf
-Tlist shows okay configuration. Adding 'pass in quick' in
/etc/ipf.conf. Does not help (ipfstat -hio shows no hits on it).
Any ideas on what to try or expect?
Thanks,
- Ashwani
