Dec 8, 2009

pefs and l2filter moved to github

I've just moved pefs and l2filter development to github. Hope it helps people to follow development.

pefs repository (github.com/glk/pefs) can be used to to compile and run pefs without applying any patches.

pefs changelog:
  • support running on msdosfs
  • enable dircache only on file systems that are known to support it
  • add man page
  • add pefs getkey command
  • intial implementation of pefs PAM module

l2filter repository (github.com/glk/l2filter) contains only patches. There is fresh patch against 8-STABLE with some minor improvements comparing to 7-STABLE version. 9-CURRENT patch is a bit outdated at the moment, as I'm waiting for Luigi Rizzo to finish ipfw refactoring work first.
Posted by at
Labels: , ,

4 comments:

  1. Unknown16 February, 2010 11:29

    Hello,
    I'm using FreeBSD 8-STABLE. I have a gret interest from Layer2 Lookup Tables.
    I try to patch source repository but may be made some mistake.

    Bellow are step by step all procedure which I made:
    # cd /usr/src/
    # svn co http://http://svn.freebsd.org/base/stable/8/ a
    After that apply the patch with rev: FreeBSD 8-STABLE patch. SVN rev 203554
    patch -p0 < l2filter-8stable.patch
    Everything looks okey but when go into /usr/src/a/sbin/ipfw and then write: make
    then compilation is fail :(

    I try to use different revision of this patch but with no success and same error:(

    Please for assistance :(

    # cd ipfw
    # make
    Warning: Object directory not changed from original /usr/src/a/sbin/ipfw
    cc -O2 -pipe -std=gnu99 -fstack-protector -Wsystem-headers -Werror -Wall -Wno-format-y2k -Wno-uninitialized -Wno-pointer-sign -c ipfw2.c
    ipfw2.c:149: error: 'IP_FW_STATEOPT_ETHER' undeclared here (not in a function)
    ipfw2.c:519: error: 'O_ETHER_TYPE' undeclared here (not in a function)
    ipfw2.c:519: error: initializer element is not constant
    ipfw2.c:519: error: (near initialization for '_port_name[5].x')
    ipfw2.c:520: error: 'O_ARP_OP' undeclared here (not in a function)
    ipfw2.c:520: error: initializer element is not constant
    ipfw2.c:520: error: (near initialization for '_port_name[6].x')
    ipfw2.c:872: error: expected ')' before '*' token
    ...........
    ...........
    ...........
    ipfw2.c:3568: error: incompatible type for argument 2 of 'fill_flags'
    ipfw2.c:3583: error: 'O_ARP_DST_LOOKUP' undeclared (first use in this function)
    ipfw2.c:3583: warning: assignment makes integer from pointer without a cast
    ipfw2.c:3585: error: 'O_ARP_SRC_LOOKUP' undeclared (first use in this function)
    ipfw2.c:3585: warning: assignment makes integer from pointer without a cast
    ipfw2.c: In function 'ipfw_table_handler':
    ipfw2.c:3852: error: 'ipfw_table_entry' has no member named 'ether_addr'
    ipfw2.c:3852: error: 'ipfw_table_entry' has no member named 'ether_addr'
    ipfw2.c:3852: warning: passing argument 2 of 'bzero' makes integer from pointer without a cast
    ipfw2.c:3854: error: 'ipfw_table_entry' has no member named 'ether_addr'
    ipfw2.c:3854: error: too many arguments to function 'get_ether_addr'
    ipfw2.c: In function 'table_list':
    ipfw2.c:3940: error: 'struct _ipfw_table_entry' has no member named 'ether_addr'
    ipfw2.c:3940: error: request for member 'flags' in something not a structure or union
    ipfw2.c:3940: error: 'IPFW_EA_CHECK' undeclared (first use in this function)
    ipfw2.c:3940: error: invalid operands to binary &
    ipfw2.c:3941: error: 'struct _ipfw_table_entry' has no member named 'ether_addr'
    ipfw2.c:3942: error: 'struct _ipfw_table_entry' has no member named 'ether_addr'
    ipfw2.c:3942: error: request for member 'flags' in something not a structure or union
    ipfw2.c:3942: error: 'IPFW_EA_MULTICAST' undeclared (first use in this function)
    ipfw2.c:3942: error: invalid operands to binary &
    *** Error code 1

    Stop in /usr/src/a/sbin/ipfw.

    ReplyDelete
  2. Gleb Kurtsou13 March, 2010 11:10

    Recompiling only src/sbin/ipfw is not enough, it requires updated kernel headers installed. You'd need to rebuild world.

    ReplyDelete
  3. Unknown21 March, 2010 13:55

    I'm using FreeBSD 7.2 updated from svn to:
    # uname -a
    FreeBSD 7.3-PRERELEASE FreeBSD 7.3-PRERELEASE #0 r205399M: Sun Mar 21 11:28:26 UTC 2010 root@:/usr/src/a/sys/i386/compile/NEW i386

    After rebuildworld & rebuildkernel & installkernel & installworld I managed to apply the patch successfully.
    Use l2filter patch: SVN rev 203383

    this is my default route:
    # arp -an
    ? (87.120.160.213) at 00:d0:b7:17:ea:5b on em0 [ethernet]

    then I add my gateway in this table:
    # ipfw table 10 add 87.120.160.213 ether 00:d0:b7:17:ea:5b

    # ifconfig em0 l2filter

    # Check If l2filter is enabled on this interface
    # ifconfig em0
    em0: flags=1808843 metric 0 mtu 1500
    options=9b
    ether 00:0c:29:eb:80:31
    inet 87.120.160.214 netmask 0xfffffffc broadcast 87.120.160.215
    media: Ethernet autoselect (1000baseTX )
    status: active

    # ipfw show
    00010 0 0 allow ip from 87.120.160.213 to any dst-ether any src-ether 00:d0:b7:17:ea:5b layer2
    65535 14600 1294972 allow ip from any to any

    # ipfw table 10 list
    87.120.160.213/32 ether 00:d0:b7:17:ea:5b 0

    # ipfw add 9 allow ip from table"(1)" to me layer2
    00009 allow ip from table(1) to me layer2
    # ipfw show
    00009 0 0 allow ip from table(1) to me layer2
    00010 0 0 allow ip from 87.120.160.213 to any dst-ether any src-ether 00:d0:b7:17:ea:5b layer2
    65535 15274 1354146 allow ip from any to any

    # ping 87.120.160.213
    PING 87.120.160.213 (87.120.160.213): 56 data bytes
    64 bytes from 87.120.160.213: icmp_seq=0 ttl=64 time=1.409 ms
    64 bytes from 87.120.160.213: icmp_seq=1 ttl=64 time=0.498 ms
    64 bytes from 87.120.160.213: icmp_seq=2 ttl=64 time=0.504 ms
    ^C
    --- 87.120.160.213 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 0.498/0.804/1.409/0.428 ms

    But I do not see any matched packets via rule...
    # ipfw show
    00009 0 0 allow ip from table(1) to me layer2
    00010 0 0 allow ip from 87.120.160.213 to any dst-ether any src-ether 00:d0:b7:17:ea:5b layer2
    65535 15493 1374502 allow ip from any to any
    #

    As you can see I added ifconfig em0 l2filter but it doesn't filter ( doesn't match counters per this rule)
    Please advice me what should I do to match layer2 traffic trough the filter

    Best~

    ReplyDelete
  4. Gleb Kurtsou18 April, 2010 22:20

    Unfortunately I' not able to test the patch any longer because of new ipfw version imported to CURRENT and merged to 8-STABLE. I have no 7-STABLE installed.

    00010 0 0 allow ip from 87.120.160.213 to any dst-ether any src-ether 00:d0:b7:17:ea:5b layer2

    Wild guess it to try removing 'from 87.120.160.213' from the rule (don't remember how it behaves in layer2 case)

    If you are looking for mixed layer2-layer3 filter, i.e. filtering by both ip and mac addresses, you should enable 'l2tag' on interface and remove 'layer2' from the rule:

    ifconfig em0 l2tag

    ReplyDelete

Subscribe to: Post Comments (Atom)