Re: ipfilter 4.1.6 won't build on FreeBSD5.3 amd64 (fwd)

From: c0ldbyte (c0ldbyte_at_myrealbox.com)
Date: 03/08/05

  • Next message: Charles Sprickman: "Re: FreeBSD 4.x and OS-X tcp performance" 
    Date: Mon, 7 Mar 2005 19:08:24 -0500 (EST)
To: Goran Gajic <ggajic@mail.sbb.co.yu>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Mon, 7 Mar 2005, Goran Gajic wrote:

    > Hi,
    >
    > I have tried to build ipfilter 4.1.6 as module and as part of kernel on
    > FreeBSD 5.3 on amd64 but in both cases I have failed. When I use
    > option IPFILTER in kernel config this is what I get:
    >
    > cc -c -O2 -frename-registers -pipe -fno-strict-aliasing -Wall
    > -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes
    > -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -std=c99 -nostdinc
    > -I- -I. -I../../.. -I../../../contrib/dev/acpica -I../../../contrib/altq
    > -I../../../contrib/ipfilter
    > -I../../../contrib/pf -I../../../contrib/dev/ath
    > -I../../../contrib/dev/ath/freebsd -I../../../contrib/ngatm -D_KERNEL
    > -include opt_global.h -fno-common -finline-limit=8000 --param
    > inline-unit-growth=100 --param large-function-growth=1000 -mcmodel=kernel
    > -mno-red-zone -mfpmath=387 -mno-sse -mno-sse2 -mno-mmx -mno-3dnow
    > -msoft-float -fno-asynchronous-unwind-tables -ffreestanding -Werror
    > .../../../contrib/ipfilter/netinet/ip_frag.c
    > .../../../contrib/ipfilter/netinet/ip_frag.c: In function `fr_ipid_newfrag':
    > .../../../contrib/ipfilter/netinet/ip_frag.c:394: warning: cast to pointer
    > from integer of different size
    > .../../../contrib/ipfilter/netinet/ip_frag.c: In function
    > `fr_ipid_knownfrag':
    > .../../../contrib/ipfilter/netinet/ip_frag.c:579: warning: cast from pointer
    > to integer of different size
    > *** Error code 1
    >
    > Stop in /usr/src/sys/amd64/compile/SENT.
    >
    >
    > When I have tried to build ipf.ko this is what I get:
    > ld -warn-common -r -d -o ipf.kld.5 ip_fil.o fil.o ml_ipl.o ip_nat.o ip_frag.o
    > ip_state.o ip_proxy.o ip_auth.o ip_log.o ip_pool.o ip_htable.o ip_lookup.o
    > ip_rules.o ip_scan.o ip_sync.o
    > ld -Bshareable -d -warn-common -o ipf.ko ipf.kld.5
    > ld: ipf.kld.5: relocation R_X86_64_32 can not be used when making a shared
    > object; recompile with -fPIC
    > ipf.kld.5: could not read symbols: Bad value
    > *** Error code 1
    >
    > Stop in /root/ip_fil4.1.6/BSD/FreeBSD-5.3-RELEASE-amd64.
    > *** Error code 1
    >
    > Stop in /root/ip_fil4.1.6.
    >
    > I have tried recompling with -fPIC but when I do kld_load ipf.ko this is what
    > I get:
    > sen# kldload /boot/kernel/ipf.ko
    > dmesg output:
    > kldload: can't load /boot/kernel/ipf.ko: Exec format error
    > kldload: Unsupported file type
    > kldload: unexpected relocation type 7
    > link_elf: symbol appr_check undefined
    >
    >
    > So, my question is: can ipfilter be used to NAT something like 7000 hosts on
    > FreeBSD? Currently I have cisco 7206 that is running IOS 12.3(4r)T1 only IOS
    > that has NAT inside CEF (otherwise CPU load is something like 80% with this
    > IOS it is something like 20% for 7000 hosts). I want my amd64 only to NAT
    > inside network (10.1.0.0/16) but when I have tried ipfilter
    > v3.4.35 that comes with freebsd5.3 (compiled with LARGE_NAT) it had poor
    > performance. (it could handle something like 120000 connections although
    > vaules in ip_nat.h were much greater, maybe I have missed some other
    > parameters?). Machine has two broadcom NICs so I don't think that is
    > problem, can someone advise what to do to?
    >
    > Regards,
    > Goran Gajic

    Are those CFLAGS=-O2, a standard compilation or is that something you
    added to the make.conf ?. Ive tried some optimizations myself well
    building the kernel and its modules and got a very sparse build of things
    they dont seem to build to well when being built with -O2 opts.

    Good luck and best regards, check your /etc/make.conf
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (FreeBSD)
    Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF7DF979F

    iD8DBQFCLOz8smFQuvffl58RAp8HAJ4qcQuzBU3uI9koXuoypA2lJaw6jgCeNk7O
    1ffKaacnysptQNLxaaP17TE=
    =A712
    -----END PGP SIGNATURE-----
    _______________________________________________
    freebsd-net@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-net
    To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

  • Next message: Charles Sprickman: "Re: FreeBSD 4.x and OS-X tcp performance"

    Relevant Pages

    • FreeBSD 4.11 P13 Crash
      ... Okay this time my kernel was recompiled so there are no modules to make it ... logging with IPFilter, but I am always open to the possibility. ... page fault while in kernel mode ... pseudo-device sl 1 # Kernel SLIP ...
      (freebsd-hackers)
    • Re: -E flag in /etc/rc.d/ipfilter causes warnings
      ... >> ipfilter is always going to be necessary on it. ... >> in the kernel image, it's automatically initialized (and thus does not ... the warning messages disappeared at boot time. ... The stop command to rc.d/ipfilter uses -D to disable ipfilter, ...
      (freebsd-current)
    • about ipfilter
      ... I am having confuse with the ipfilter and the kernel setup. ... If I compile the kernel with the above options then I can start it on boot. ...
      (freebsd-questions)
    • Re: ipfilter depends on IPv6 support?
      ... However I just set up a 6.0 machine, and with the rebuilt ... kernel, ipl.ko would not load, with the error: ... This does the trick for me (for ipfilter) in make.conf - ... # We need this in order for ipfilter kernel module not to require ...
      (comp.unix.bsd.freebsd.misc)
    • Re: IpFilter / IpFireWall
      ... to use ipfw&ipf use this in your kernel! ... Subject: IpFilter / IpFireWall ... > i use freebsd v4.5 Release #0. ...
      (FreeBSD-Security)