Bug 46226

Summary:	5.0-RC1 ipfilter module [ipl.ko] fails to load
Product:	Base System	Reporter:	Jeff Stelzner <jeff.stelzner>
Component:	kern	Assignee:	Darern Reed <darrenr>
Status:	Closed FIXED
Severity:	Affects Only Me
Priority:	Normal
Version:	Unspecified
Hardware:	Any
OS:	Any

Description Jeff Stelzner 2002-12-13 02:00:08 UTC

--In console boot messages I see [link_elf message repeats]:
Dec 10 16:14:03 lihue kernel: link_elf: symbol pfil_add_hook undefined
kldload: can't load ipl: No such file or directory
Dec 10 16:35:10 lihue xxx: ./ipfilter: WARNING: IP-filter module failed to
load.

--When I try to load the ipfilter module manually I get:
lihue# ls -l /boot/kernel/ipl.ko
-r-xr-xr-x  1 root  wheel  92992 Dec  7 14:27 /boot/kernel/ipl.ko
lihue# kldload ipl
kldload: can't load ipl: No such file or directory
lihue# kldload ipl.ko
kldload: can't load ipl.ko: No such file or directory

How-To-Repeat: 
cat >> /etc/rc.conf
ipfilter_enable = "YES"
^D

touch /etc/ipf.rules

Comment 1 Hiten Pandya 2002-12-13 15:39:47 UTC

> --In console boot messages I see [link_elf message repeats]:
> Dec 10 16:14:03 lihue kernel: link_elf: symbol pfil_add_hook undefined
> kldload: can't load ipl: No such file or directory

OK.  I tested this on my 28th Nov. CURRENT-JPSNAP, and the issue still
persists.  The reason you are getting that message, is because,
apparently, ipfilter is dependant on the PFIL_HOOKS kernel option, and
it cannot be loaded without it (I tried). 

So, either that you add the option to the kernel config file, and the
problem will kinda go away.  I do not think the former is an interesting
thing to do, because ipfilter is a loadable module, then it makes less
sense to recompile a kernel to satisfy a dependency.

I have made some patches, which will make the PFIL_HOOKS into a loadable
module, so you can avoid the trouble of recompiling your kernel.  The
patches are tested by me, but I would like to have your comments, i.e.
if they work for you or not.

To use the module option, you will need to make a "pfil" dir in
sys/modules, and then apply the following patches (also available from:
http://www.unixdaemons.com/~hiten/work/diffs/pfil_ipfilter_dep.patch)

%%%
Index: contrib/ipfilter/netinet/mlfk_ipl.c
===================================================================
RCS file: /home/hiten/ncvs/src/sys/contrib/ipfilter/netinet/mlfk_ipl.c,v
retrieving revision 1.10
diff -u -r1.10 mlfk_ipl.c
--- contrib/ipfilter/netinet/mlfk_ipl.c	19 Mar 2002 11:44:16 -0000	1.10
+++ contrib/ipfilter/netinet/mlfk_ipl.c	13 Dec 2002 07:32:01 -0000
@@ -198,3 +198,4 @@
         0
 };
 DECLARE_MODULE(ipfilter, ipfiltermod, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY);
+MODULE_DEPEND(ipfilter, pfil, 1, 1, 1);

Index: net/pfil.c
===================================================================
RCS file: /home/hiten/ncvs/src/sys/net/pfil.c,v
retrieving revision 1.5
diff -u -r1.5 pfil.c
--- net/pfil.c	19 Mar 2002 21:54:18 -0000	1.5
+++ net/pfil.c	13 Dec 2002 07:32:33 -0000
@@ -35,6 +35,8 @@
 #include <sys/socketvar.h>
 #include <sys/systm.h>
 #include <sys/queue.h>
+#include <sys/kernel.h>
+#include <sys/module.h>
 
 #include <net/if.h>
 #include <net/pfil.h>
@@ -45,6 +47,14 @@
 static int pfil_list_remove(pfil_list_t *,
     int (*)(void *, int, struct ifnet *, int, struct mbuf **));
 
+static int pfil_mod_handler(module_t mod, int cmd, void *data);
+
+static moduledata_t pfil_mod = {
+	"pfil",
+	pfil_mod_handler,
+	0
+};
+
 static void
 pfil_init(ph)
 	 struct pfil_head *ph;
@@ -169,3 +179,31 @@
 		}
 	return NULL;
 }
+
+static int
+pfil_mod_handler(module_t mod, int cmd, void *data)
+{
+	int error = 0;
+
+	switch (cmd) {
+	case MOD_LOAD:
+		printf("Loaded PFIL_HOOKS\n");
+		break;
+
+	case MOD_UNLOAD:
+		break;
+
+	case MOD_SHUTDOWN:
+		error = 0;
+		break;
+
+	default:
+		error = EOPNOTSUPP;
+		break;
+	}
+
+	return (error);
+}
+
+MODULE_VERSION(pfil, 1);
+DECLARE_MODULE(pfil, pfil_mod, SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY);

--- /dev/null	Fri Dec 13 07:33:00 2002
+++ modules/pfil/Makefile	Fri Dec 13 07:32:45 2002
@@ -0,0 +1,8 @@
+# $FreeBSD$
+
+.PATH: ${.CURDIR}/../../net
+
+KMOD=	pfil
+SRCS=	pfil.c
+
+.include <bsd.kmod.mk>
%%%

Apply the patches in /usr/src/sys.
Comments and suggestions welcome.

-- 
Hiten Pandya (hiten@unixdaemons.com, hiten@uk.FreeBSD.org)
http://www.unixdaemons.com/~hiten/

Comment 2 Jeff Stelzner 2002-12-16 00:22:54 UTC

I applied the patches to a virgin 5.0-RC1 source tree, then did a 'make
buildkernel installkernel' and got a new GENERIC kernel.
Rebooted, and no longer see the link_elf: and kldload: errors but instead
now see:

Dec 13 16:48:21 lihue kernel: KLD ipl.ko: depends on pfil - not available

To confirm that ipl.ko was rebuilt along with the rest:

-r-xr-xr-x  1 root  wheel  5174977 Dec 13 16:31 /boot/kernel/kernel
-r-xr-xr-x  1 root  wheel  93287 Dec 13 16:31 /boot/kernel/ipl.ko

Comment 3 Jeff Stelzner 2002-12-16 17:36:34 UTC

> Can you please just add PFIL_HOOKS into the kernel, because the issue is
> bigger than just making pfil hooks into a kernel module.  This is because
> it is deep in the networking stack of FreeBSD.

> A more practical fix will be up later on, but for now please use this
> option, and request someone to close the PR, or put it in suspended
> mode.

I did that and ipfilter seems to activate fine from /etc/rc.conf.

Thanks for taking a shot at it. I would assume that for 5.0-RELEASE the
release team would want to ensure that PFIL_HOOKS was in the GENERIC
configuration and commented to the effect that is mandatory for ipfilter to
work by default
as in 4.x.

FreeBSD release team - Please incorporate the PFIL_HOOKS entry into GENERIC
as listed above and suspend this PR for now. Thanks.

Comment 4 Kris Kennaway freebsd_committer

2003-07-14 12:42:40 UTC

Responsible Changed
From-To: freebsd-bugs->darrenr

Assign to ipfilter author

Comment 5 Jacques Vidrine freebsd_committer

2004-01-24 15:32:57 UTC

State Changed
From-To: open->closed

PFIL_HOOKS is now in the GENERIC kernel configuration.