/usr/ucb/cc./usr/include/ia32/sys/reg.h:300: error: parse error before "upad128_t" when I compile IPF, why?
This is a "feature" of Solaris' STREAMS-based TCP/IP stack. Basically you have to add a rule allowing the TCP Reset to leave. So let's say that you want to return-rst on ident, port 113, so that sending mail doesn't give long delays, and IRC works:
#return-rst for identThe first rule just blocks with return-rst, the second rule allows packets out from port 113 with the RESET flag.
block return-rst in quick on ppp0 proto tcp from any to any port = 113
pass out quick on ppp0 proto tcp from any port = 113 to any flags R/RSFUP
/usr/ucb/cc.Sun has a compiler usually installed in /usr/ucb/cc. Unfortunately, it's a really expensive compiler that doesn't ship with Solaris by default. Fortunately, since Solaris 8, they've included gcc for you on the Solaris Companion CD (/opt/sfw), it's a package calledSFWgcc. In Solaris 9 this is now on the main installation CDs and is in /usr/sfw.
If you're using an older version of Solaris you can get gcc from SunFreeware.com.
Note that you need to comment out the "For SUNWSpro" lines in the Makefile and uncomment the "for GCC" lines in order to compile with gcc.
You're most likely trying to use an IPF modules compiled as a 32-bit binary. You need to compile it as a 64-bit binary, so you must either use the cc with SUNWspro, or GCC 3.0 (see VII-5). GCC 2.x will NOT work. SUNWspro is available from Sun, you can get a demo license (please READ what you can and cannot do according to the demo license).
Type isainfo -vk.
GCC 2.x cannot make 64-bit executables, but GCC 3.x can. The following procedure for compiling a gcc 3x is provided by Aaron Jackson:
# gunzip -c gcc-3.2.2.tar.gz | tar xvf -
# mkdir objdir
Note that objdir should NOT be in the source directory.
# cd objdir
# ../gcc-3.2.2/configure --enable-languages=c --prefix=INSTALL_PATH
NOTE: INSTALL_PATH is where you want to install gcc. This should NOT be in the gcc source dir, objdir or any dir that contains an previous install of gcc.
# make bootstrap
# make install
You should then be able to use this new GCC to compile a 64-bit version of IP Filter. In order to do this, you'll need to change the Makefile from:
XARCH64="-m64 -mcmodel=medlow"
to:
XARCH64="-m64"
Sun's Forte Compiler can make 64 bit modules. This compiler is not standard with the OS, you have to buy it separately. However, there is a "try-and-buy" version which you can install, and use for a limited time. You can get this time limited version on cdrom or you can download it from Sun.com. Note that the download is very large. Please READ what you can and cannot do according to the demo license.
Some generous individuals have made available precompiled IPF binaries for 64-bit machines. Try http://www.maraudingpirates.org/ipfilter/. You can also try using GCC 3.x (see VII-5).
First select "ipfx", and install that subpackage. When pkgadd completes, rerun pkgadd and then install the "ipf" sub-package.
No. IPF on Solaris only operates as a Layer 3 device (router). This means you need distinct subnets for each host interface.
Solaris's/etc/systemis consulted when booting, so you can modify IPF kernel parameters there, for example:
* * ipf: adjust the default tcp timeouts downward so that * idle (dead) and half closed states get killed off quicker. set ipf:fr_tcpidletimeout = 172800 set ipf:fr_tcphalfclosed = 7200 * * ipf: adjust the state table sizes so we have enough buckets. * IPSTATE_MAX (=fr_statemax) should be ~70% of IPSTATE_SIZE * IPSTATE_SIZE (=fr_statesize) has to be a prime number set ipf:fr_statemax = 7000 set ipf:fr_statesize = 10009 * * ipf: adjust the NAT table sizes so we have enough buckets. * generally you have fewer than 127 rules in ipnat.conf * so no need to waste memory for more. set ipf:ipf_nattable_sz = 10009 set ipf:ipf_natrules_sz = 127 set ipf:ipf_rdrrules_sz = 127 * * note that the timers run "2 ticks to a second", so * for example, written below is the following: * set ipf:fr_tcpidletimeout = 172800 * this sets the tcp idle connection timeout to * (172800/2) / 3600 = 24 hours. *
Solaris8 on Sparc is straightforward, however, doing this on Intel requires a tweak. Here's instructions for both platforms:
That should be it.
- Get Squid-2.4STABLE1
- Get and apply the 6 patches at http://www.squid-cache.org/Versions/v2/2.4/bugs/
save these as the-patch-filename.patch
$ for file in `ls *.patch`
> do
> echo "applying patch $file..."
> patch -p0 < $file
> done
- Edit out the ipv6 struct as described in http://marc.theaimsgroup.com/?l=ipfilter&m=99557783205895&w=2
Now for Solaris 8 on Sparc you are ready to go:
# ./configure --enable-ipf-transparent ; make
But for Solaris 8 on x86 you need two more steps...
- First solve the va_args issue with gcc 2.95.2 on x86
# diff -c src/client_side.c.orig src/client_side.c
*** src/client_side.c.orig Thu Jul 19 17:41:12 2001#
--- src/client_side.c Thu Jul 19 17:41:45 2001
***************
*** 37,42 ****
--- 37,45 ----
#if IPF_TRANSPARENT #if HAVE_SYS_IOCTL_H + #if defined(va_start) /* dirty hack. sol7/8 x86 + gcc 2.95.2 */ + #define _SYS_VARARGS_H + #endif #include <sys/ioctl.h> #endif #include <netinet/tcp.h>
- Next solve the #define free issue (WTF?)
# diff -c src/squid.h.orig src/squid.h
*** src/squid.h.orig Thu Jul 19 17:38:57 2001 --- src/squid.h Thu Jul 19 17:40:26 2001 *************** *** 403,411 **** #ifndef malloc #define malloc + #endif ! #ifndef free ! #define free + ! #endif #ifndef calloc #define calloc + #endif --- 403,411 ---- #ifndef malloc #define malloc + #endif ! //#ifndef free ! //#define free + ! //#endif #ifndef calloc #define calloc + #endif#
- Now finally for Solaris8 x86 you can
# ./configure --enable-ipf-transparent ; make
The loopback interface on Solaris is a "fake" interface. You cannot filter it, nor can you snoop it. This is for performance reasons.
Virtual interfaces in Solaris are very similar, to filter on them, use the physical interface instead.
UPDATE: As of Solaris 10 Update 6, you can now do this. Setset interfcept_loopback true;in/etc/ipf.confor/etc/ipf6.confbefore all rules in the file. Thanks to Simon-Bernard Drolet.
There are three possiblities here: 1) using Solaris curses, 2) using ncurses from the Solaris Companion CD 3) using ncurses you compile yourself. For all three of these methods make sure the following is set (3.4.22 and on already has this):
STATETOP_CFLAGS=-DSTATETOP
Once that's done, pick one of the three methods above. The easiest way is to use Solaris curses. For that method, in the Makefile change:
STATETOP_LIB=
to say:STATETOP_LIB=-lcurses
And that will do it.
If you don't want to use Solaris curses and would prefer to use ncurses, install the ncurses package on the Solaris 8 Companion CD or from any other source of your choice and then change your STATETOP_INC line to read:
STATETOP_INC=-L/opt/sfw/include
and set:
STATETOP_LIB=-L/opt/sfw/lib -R/opt/sfw/lib -lncurses
Adjust accordingly if your ncurses libs/includes are in a different place.
If you want to use ncurses but are using Solaris < 8, or just don't want to use the Companion CD verion of ncurses for some reason, then adjust the STATETOP_INC line to read:
STATETOP_INC=-I/usr/local/include
And set STATETOP_LIB to be:
STATETOP_LIB=-L/usr/local/lib -R/usr/local/lib -lncurses
Note that these are usual locations for the include and library files. If you installed them in other places, you'll need to specify the appropriate path's.
NOTE: If you are using gcc 3.1+, you may need to uninstall either curses, or ncurses. Having both may cause conflicts during compile.
According to SunSolve many of these tunnels use a ton of space in the stack, so you should increase your stack size. To find out what it is do:echo 'lwp_default_stksize/D' | adb -k /dev/ksyms /dev/mem
Solaris 2.6 and above in 32-bit mode default to 0x2000 while Soalris 7 and above in 64-bit mode default to 0x4000. Try doubling this number. To set it, add a line to/etc/systemlike this:
set lwp_default_stksize=0x4000
and reboot. You may also use decimal values (0x4000 = 16384 and 0x8000 = 32768). For more information on tuning kernel parameters click here, and for more information on lwp_default_stksize click here.
Thanks to James McPherson and Darren for this information.
Try disabling hardware checksumming. Edit/etc/systemand add the line:
set ip:dohwcksum=0
and reboot. (Thanks to Ben Rosenblum and Hans Werner Strube).
There are no official IP Filter binaries. However some kind people have made their binaries available for download. NOTE WELL: The following sites are NOT OFFICIAL. The binaries there are NOT supported by Darren Reed, Phil Dibowitz, OR the authors or owners of the sites (unless they state otherwise).
From Darren Reed: "If you're using IPFilter on Solaris9, you might want to make sure you apply patch 112233-02 (or later) to fix a problem with the kernel attempting to prevent too much stack being used (and causing the system to crash.) This is particularly fatal when using IPFilter with ip.tun* and ESP+AH."
Read INSTALL.Sol2 in the source directory. Solaris 7, 8, and 9 are often called 2.7, 2.8, and 2.9, and the same Sol2 file works for all of the releases.
/usr/include/ia32/sys/reg.h:300: error: parse error before "upad128_t" when I compile IPF, why?
The problem is that the Solaris headers changed across updates of Solaris 9 and you are using a GCC from before the change on an updated system. (i.e. a GCC built for Solaris 9 <= 12/03 on Solaris 9 >= 4/04).
You can either rebuild GCC for your version of the system (it works, even using a GCC built for the previous version), or see apply a fix to your headers: http://groups.yahoo.com/group/solarisx86/message/6617.
First you need to compile IPFilter to support it. Do this by uncommenting the followig line in the top level Makefile:
#COMPIPF=-DIPFILTER_COMPILED
Then build, and install the ipf LKM with that included. Then you need to build the ipf rules LKM. Probably the easiest way to do that is this:
cd ip_fil4.1.1
ipf -cc /etc/opt/ipf/ipf.conf
make solaris
You will then have to go searching for a file called "ipfrule" under the SunOS5 directory, somewhere - e.g.:
SunOS5/sparc-5.6/ipfrule
That is the LKM with the compiled filter rules. Copy this to /usr/kernel/drv to get it to load.
From Darren:
"Very significant. I did do some benchmarking of this, originally but I forget what the performance measurements were, now.
"The improvements in performance come from two areas. The first is that the packet matching is now all in C, rather than using intermediate structures. The second is that rather than compare each field, one at a time, in each rule, it sorts the fields to be matched for each rule as an optimisation and only does comparisons when the matching is different."
If you get an error like this:
gcc -I. -g -I../.. -D_BSD_SOURCE -DSOLARIS2=9 -c ../../lib/debug.c -o debug.o
../../lib/debug.c: In function `debug':
../../lib/debug.c:30: error: `__builtin_va_alist' undeclared (first use in this function)
../../lib/debug.c:30: error: (Each undeclared identifier is reported only once
../../lib/debug.c:30: error: for each function it appears in.)
*** Error code 1
make: Fatal error: Command failed for target `debug.o'
Current working directory /home/phil/build/ip_fil4.1.7/SunOS5/i386-5.9
*** Error code 1
make: Fatal error: Command failed for target `sunos5x86'
Current working directory /home/phil/build/ip_fil4.1.7
*** Error code 1
make: Fatal error: Command failed for target `solaris'
Then you're probably using gcc 3.3 or later, try 3.2.x. See the README for gcc 3.3 on var_args problems for details.
For pfil, do:
CC=gcc make -f Makefile.gcc
And for ipf, edit the Makefile and uncomment the right CC line, and then:make solaris
Jeff Earickson maintains a How-To on the subject. You can find it here.
Solaris 10 has deprecated the classic SYSV-style init scripts. Instead, you now need to use svcadm to control services. See Sun's Configuring Solaris IP Filter docs.