In preparation for the upcoming ipfilter vendor code import,

[FreeBSD/FreeBSD.git] / INSTALL.IRIX

IP Filter has been mostly tested under IRIX 6.2. It should work under IRIX 6.3
as well. Under IRIX 5.3, it has been successfully compiled and linked in the
kernel, but not tested. Compilation under IRIX >= 6.4 is not yet supported.

To build a kernel with the IP filter and install it on your system,
follow these steps:

        1. edit the top-level Makefile to
                a) comment-out the IPFLKM definition.
                        This means changing the line reading:
                                IPFLKM=-DIPFILTER_LKM
                        to
                                #IPFLKM=-DIPFILTER_LKM
                b) select the system's compiler (cc)
                        This means changing the line reading:
                                CC=gcc
                        to
                                CC=cc
                b) enable full optimization
                        This means changing the lines reading:
                                DEBUG=-g
                                CFLAGS=-I$$(TOP)
                        to
                                DEBUG=
                                CFLAGS=-O2 -I$$(TOP)

        1. do "make irix" (Warning: GNU make is not supported, so if it has
        been installed on your system, verify your path and/or do "which make"
        to guarantee that IRIX's /sbin/make has precedence)

        2. do "make install-irix" as root
           (a new kernel will be automatically built)

        3. determine the filtering rules and place them in /etc/ipf.conf
           and /etc/ipnat.conf

        4. do "init 6" as root to reboot with the new kernel

        After restarting, the filter should be active and behaving according to
        the rules loaded from /etc/ipf.conf and /etc/ipfnat.conf.

        These files can be changed at any time, and reloaded using the
        following command sequence:

        # sh /etc/init.d/ipf stop; sh /etc/init.d/ipf start


To remove the IP Filter from your kernel, follow these steps:

        1. Delete the /var/sysgen/boot/ipfilter.o file

        # rm /var/sysgen/boot/ipfilter.o

        2. If SGI's ipfilter.o had been previously installed, restore it
        back to its original location

        # mv /var/sysgen/boot/ipfilter.o.DIST /var/sysgen/boot/ipfilter.o

        3. Build a new kernel

        # /etc/autoconfig

        4. Delete the /etc/rc2.d/S33ipf symbolic link

        # rm /etc/rc2.d/S33ipf

        5. Reboot

        # init 6


ADDITIONAL NOTES:

        - The IP filter uses the same kernel interface to the IP driver as
        SGI's ipfilter. In fact, it is installed in place of SGI's
        /var/sysgen/boot/ipfilter.o module, after renaming it (if installed)
        to /var/sysgen/boot/ipfilter.o.DIST. You should ensure that SGI's
        ipfilterd daemon is not running simultaneously, since this package uses
        the same major device number.

        - We have not tested IP Filter on a multiprocessor machine yet.
        However, feel free to try it and send your experiences/patches
        back to marc@CAM.ORG. SGI prescribes that kernel code be built on such
        systems with -D_MP_NETLOCKS -DMP. Therefore, these flags should
        probably be uncommented on the DFLAGS line of IRIX/Makefile if your
        machine has more than one processor.

        - It is also possible to build IP Filter as a dynamically loadable
        kernel module (by retaining the IPFLKM=-DIPFILTER_LKM definition in the
        top-level Makefile), but this is not recommended other than for testing
        and debugging purposes, because the only possible method for dynamic
        attachment to the IP stack (instruction patching) is highly dependent
        on the processor architecture. The code provided has only been tested
        with IP22 CPU boards and can sometime cause panics during loading due
        to a potential race condition.


CREDITS:

        IP Filter was ported to IRIX by Marc Boucher <marc@CAM.ORG>

        Marc Boucher wishes to thank the
                ICARI Institute (http://www.icari.qc.ca)
        and
                Aurelio Cascio <aurelio@toonboom.com>
        for their financial support and testing facilities, respectively.