Re: pfctl/bind9 and kfreebsd 6.0; sysctl
On Mon, Apr 17, 2006 at 07:14:10PM +0000, Brian M. Carlson wrote:
> I tried upgrading my server from 5.4 to 6.0 the other day. I noticed a
> couple of things:
>
> pfctl does not work with 6.0. It complains about certain ioctls, so I
> would assume that the interface has changed. pf(4) on the FreeBSD
> website should show you the difference. This was rather inconvenient,
> because (as I'm sure you probably know) if you load pf.ko, the default
> is deny, and therefore ssh doesn't work. Luckily, the server sits in my
> apartment, so I could log in via the console.
Note that pfctl lives currently in freebsd-hackedutils (i.e. it is a hacked
binary we copied from freebsd 5). We can try to hack it to support both kernels
at the same time, but we really need to get it to build from source first ;).
Have you tried if pfctl from freebsd 6 works with kernel 5.x ?
> bind9, while not stellar on 5.4, hangs on 6.0. On 5.4, it eventually
> returns SERVFAIL for every request. On 6.0, it won't even start.
What is the error on 6.0 ?
> Upon reinstalling 5.4 and rebooting into it, I found NAT didn't work.
> After several hours, I finally discovered it was because IP forwarding
> wasn't enabled, even though I had it in /etc/sysctl.conf. When I ran
> sysctl to load it, I found that /bin/sysctl (the wrapper) was still
> calling sysctl.real for that case. I changed it to /lib/freebsd/sysctl,
> and all was well.
Fixed in svn, thanks.
> So, in order, someone should probably pull a diff of pfctl from 6.0, and
> see if they can hack it to support both at once (deciding by uname, I
> guess). I might do this if I have some time.
Maybe it's feasible to do it at the source level. Who knows? Perhaps it's
just an ioctl code (either API or ABI) that changed or something.
I'd like to avoid adding more cruft to freebsd-hackedutils, though. This
package is supposed to shrink, not grow! :)
--
Robert Millan
Reply to: