| |
| IP Filter has been mostly tested under IRIX 6.2 and 6.5. |
| Under IRIX 5.3, it has been successfully compiled and linked in the kernel, |
| but not tested. |
| |
| To build a kernel with the IP filter and install it on your system, |
| follow these steps: |
| |
| 1. edit the top-level Makefile to |
| a) comment-out the IPFLKM definition. |
| This means changing the line reading: |
| IPFLKM=-DIPFILTER_LKM |
| to |
| #IPFLKM=-DIPFILTER_LKM |
| b) select the system's compiler (cc) |
| This means changing the line reading: |
| CC=gcc |
| to |
| CC=cc |
| |
| 1. do "make irix" (Warning: GNU make is not supported, so if it has |
| been installed on your system, verify your path and/or do "which make" |
| to guarantee that IRIX's /sbin/make has precedence) |
| |
| 2. do "make install-irix" as root |
| (a new kernel will be automatically built) |
| |
| 3. determine the filtering rules and place them in /etc/ipf.conf |
| and /etc/ipnat.conf |
| |
| 4. do "init 6" as root to reboot with the new kernel |
| |
| After restarting, the filter should be active and behaving according to |
| the rules loaded from /etc/ipf.conf and /etc/ipfnat.conf. |
| |
| These files can be changed at any time, and reloaded using the |
| following command sequence: |
| |
| # sh /etc/init.d/ipf stop; sh /etc/init.d/ipf start |
| |
| |
| To remove the IP Filter from your kernel, follow these steps: |
| |
| 1. Delete the /var/sysgen/boot/ipfilter.o file |
| |
| # rm /var/sysgen/boot/ipfilter.o |
| |
| 2. If SGI's ipfilter.o had been previously installed, restore it |
| back to its original location |
| |
| # mv /var/sysgen/boot/ipfilter.o.DIST /var/sysgen/boot/ipfilter.o |
| |
| 3. Build a new kernel |
| |
| # /etc/autoconfig |
| |
| 4. Delete the /etc/rc2.d/S33ipf symbolic link |
| |
| # rm /etc/rc2.d/S33ipf |
| |
| 5. Reboot |
| |
| # init 6 |
| |
| |
| ADDITIONAL NOTES: |
| |
| - The IP filter uses the same kernel interface to the IP driver as |
| SGI's ipfilter. In fact, it is installed in place of SGI's |
| /var/sysgen/boot/ipfilter.o module, after renaming it (if installed) |
| to /var/sysgen/boot/ipfilter.o.DIST. You should ensure that SGI's |
| ipfilterd daemon is not running simultaneously, since this package uses |
| the same major device number. |
| |
| - We have not tested IP Filter on a multiprocessor machine yet. |
| SGI prescribes that kernel code be built on such systems with |
| -D_MP_NETLOCKS -DMP. Therefore, these flags should probably be |
| uncommented on the DFLAGS line of IRIX/Makefile if your machine |
| has more than one processor. |
| |
| - It is also possible to build IP Filter as a dynamically loadable |
| kernel module (by retaining the IPFLKM=-DIPFILTER_LKM definition in the |
| top-level Makefile), but this is not recommended other than for testing |
| and debugging purposes, because the only possible method for dynamic |
| attachment to the IP stack (instruction patching) is highly dependent |
| on the processor architecture. The code provided has only been tested |
| with IP22 CPU boards and can sometime cause panics during loading due |
| to a potential race condition. |
| |
| CREDITS: |
| |
| IP Filter was ported to IRIX by Marc Boucher <marc@CAM.ORG> |
| |
| Marc Boucher wishes to thank the |
| ICARI Institute (http://www.icari.qc.ca) |
| and |
| Aurelio Cascio <aurelio@toonboom.com> |
| for their financial support and testing facilities, respectively. |
| |