Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RELENG_1_2 - Kernel Build issue ?

    Scheduled Pinned Locked Moved Development
    6 Posts 2 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      ppomes
      last edited by

      Hi all,

      I would like to add a new feature (max-src-conn, to limit the number of connection per source IP, I need it) to pfsense, and I am trying to create a dev environment using instructions http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso.

      I found in the support mailing list an email from Scott saying freebsd 7.0 and 7.1 were no longer used for pfsense RELENG_1_2.  So I followed instructions from the wiki page, but from a freebsd 7.2 system.

      Instead of using the curses menu, I used :
      ./set_version.sh RELENG_1_2 cvsup2.ca.freebsd.org
      ./apply_kernel_patches.sh (no patch was rejected)
      ./build_iso.sh

      After a while, the process finished on :

      Making sure we are in the right branch… [OK] (RELENG_1_2)
      Creating tarball of checked out contents…Done!
      Preparing object directory...
      Building world and kernels for ISO... 7  RELENG_7_2 ...
      Building world for i386 architecture...
      World build started on Mon Sep 21 18:07:16 EDT 2009
      Rebuilding the temporary build tree
      stage 1.1: legacy release compatibility shims
      stage 1.2: bootstrap tools
      stage 2.2: rebuilding the object tree
      stage 2.3: build tools
      stage 3: cross tools
      stage 4.1: building includes
      stage 4.2: building libraries
      stage 4.3: make dependencies
      stage 4.4: building everything
      World build completed on Mon Sep 21 19:18:30 EDT 2009
      Ensuring that the btxld problem does not happen on subsequent runs...
      Installing world for i386 architecture...
      Making hierarchy
      Installing everything
      Building all extra kernels... 7  RELENG_7_2 ...
      Not adding D-Trace to Developers Kernel...
      Building uniprocessor kernel...
      KERNCONFDIR: /usr/pfSensesrc/src/sys/i386/conf
      ARCH:        i386
      SRC_CONF:    src.conf.7
      Kernel build for pfSense.7 started on Mon Sep 21 19:22:50 EDT 2009
      stage 1: configuring the kernel
      Something went wrong, check errors!
      Log saved on /usr/obj.pfSense/usr/home/pfsense/freesbie2/.tmp_buildkernel
      WARNING: duplicate option DEV_UARK' encountered. WARNING: duplicate device uark' encountered.
      WARNING: duplicate option DEV_UFTDI' encountered. WARNING: duplicate device uftdi' encountered.
      WARNING: duplicate option DEV_UVSCOM' encountered. WARNING: duplicate device uvscom' encountered.
      WARNING: duplicate option DEV_UFOMA' encountered. WARNING: duplicate device ufoma' encountered.
      WARNING: duplicate option DEV_ALE' encountered. WARNING: duplicate device ale' encountered.
      WARNING: duplicate option DEV_ET' encountered. WARNING: duplicate device et' encountered.
      WARNING: duplicate option DEV_ED' encountered. WARNING: duplicate device ed' encountered.
      WARNING: duplicate option DEV_IGB' encountered. WARNING: duplicate device igb' encountered.
      WARNING: duplicate option `SYSVSEM' encountered.
      /usr/pfSensesrc/src/sys/i386/conf/pfSense.7: unknown option "ALTQ_FAIRQ"
      *** Error code 1
      1 error
      *** Signal 15

      So I have an issue when the kernet is compiling. The log file is :

      Kernel build for pfSense.7 started on Mon Sep 21 19:59:37 EDT 2009

      ===> pfSense.7
      mkdir -p /usr/obj.pfSense/usr/pfSensesrc/src/sys

      stage 1: configuring the kernel

      cd /usr/pfSensesrc/src/sys/i386/conf;  PATH=/usr/obj.pfSense/usr/pfSensesrc/src/tmp/legacy/usr/sbin:/usr/obj.pfSense/usr/pfSensesrc/src/tmp/legacy/usr/bin:/usr/obj.pfSense/usr/pfSensesrc/src/tmp/legacy/usr/games:/usr/obj.pfSense/usr/pfSensesrc/src/tmp/usr/sbin:/usr/obj.pfSense/usr/pfSensesrc/src/tmp/usr/bin:/usr/obj.pfSense/usr/pfSensesrc/src/tmp/usr/games:/sbin:/bin:/usr/sbin:/usr/bin  config  -d /usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense.7  /usr/pfSensesrc/src/sys/i386/conf/pfSense.7
      WARNING: duplicate option SCHED_ULE' encountered. WARNING: duplicate option GEOM_LABEL' encountered.
      WARNING: duplicate option DEV_WLAN' encountered. WARNING: duplicate device wlan' encountered.
      WARNING: duplicate option DEV_WLAN_WEP' encountered. WARNING: duplicate device wlan_wep' encountered.
      WARNING: duplicate option DEV_WLAN_CCMP' encountered. WARNING: duplicate device wlan_ccmp' encountered.
      WARNING: duplicate option DEV_WLAN_TKIP' encountered. WARNING: duplicate device wlan_tkip' encountered.
      WARNING: duplicate option DEV_WLAN_AMRR' encountered. WARNING: duplicate device wlan_amrr' encountered.
      WARNING: duplicate option DEV_WLAN_SCAN_AP' encountered. WARNING: duplicate device wlan_scan_ap' encountered.
      WARNING: duplicate option DEV_WLAN_SCAN_STA' encountered. WARNING: duplicate device wlan_scan_sta' encountered.
      WARNING: duplicate option DEV_ATH' encountered. WARNING: duplicate device ath' encountered.
      WARNING: duplicate option DEV_ATH_HAL' encountered. WARNING: duplicate device ath_hal' encountered.
      WARNING: duplicate option AH_SUPPORT_AR5416' encountered. WARNING: duplicate option DEV_ATH_RATE_SAMPLE' encountered.
      WARNING: duplicate device ath_rate_sample' encountered. WARNING: duplicate option DEV_AN' encountered.
      WARNING: duplicate device an' encountered. WARNING: duplicate option DEV_AWI' encountered.
      WARNING: duplicate device awi' encountered. WARNING: duplicate option DEV_RAL' encountered.
      WARNING: duplicate device ral' encountered. WARNING: duplicate option DEV_WI' encountered.
      WARNING: duplicate device wi' encountered. WARNING: duplicate option DEV_BPF' encountered.
      WARNING: duplicate device bpf' encountered. WARNING: duplicate option DEV_UBSA' encountered.
      WARNING: duplicate device ubsa' encountered. WARNING: duplicate option DEV_UCOM' encountered.
      WARNING: duplicate device ucom' encountered. WARNING: duplicate option DEV_UPLCOM' encountered.
      WARNING: duplicate device uplcom' encountered. WARNING: duplicate option DEV_UBSA' encountered.
      WARNING: duplicate device ubsa' encountered. WARNING: duplicate option DEV_UVISOR' encountered.
      WARNING: duplicate device uvisor' encountered. WARNING: duplicate option DEV_UARK' encountered.
      WARNING: duplicate device uark' encountered. WARNING: duplicate option DEV_UFTDI' encountered.
      WARNING: duplicate device uftdi' encountered. WARNING: duplicate option DEV_UVSCOM' encountered.
      WARNING: duplicate device uvscom' encountered. WARNING: duplicate option DEV_UFOMA' encountered.
      WARNING: duplicate device ufoma' encountered. WARNING: duplicate option DEV_ALE' encountered.
      WARNING: duplicate device ale' encountered. WARNING: duplicate option DEV_ET' encountered.
      WARNING: duplicate device et' encountered. WARNING: duplicate option DEV_ED' encountered.
      WARNING: duplicate device ed' encountered. WARNING: duplicate option DEV_IGB' encountered.
      WARNING: duplicate device igb' encountered. WARNING: duplicate option SYSVSEM' encountered.
      /usr/pfSensesrc/src/sys/i386/conf/pfSense.7: unknown option "ALTQ_FAIRQ"
      *** Error code 1
      1 error

      May someone also has this issue ?

      Regards,
      Pierre

      1 Reply Last reply Reply Quote 0
      • E Offline
        eri--
        last edited by

        That feature is under Advanced option in Firewall->Rules you do not need to build a new pfSense iso.

        1 Reply Last reply Reply Quote 0
        • P Offline
          ppomes
          last edited by

          Hi Ermal,

          @ermal:

          That feature is under Advanced option in Firewall->Rules you do not need to build a new pfSense iso.

          Thanks for your reply, but I do not think we are talking about the same feature. In "advanced options" of firewall rules, there is:

          • Simultaneous client connection limit: this a "global setting", which appllies to all incoming tcp connections. So this is not "per host". In PF, this setting is mapped to "max-src-nodes"

          • Maximum state entries per host: this one is per host, but all states of a tcp connection are matched. In PF, this settings is mapped to "max-src-states"

          • Maximum new connections / per second: connection rate, mapped to "max-conn-rate" PF setting

          • State timeout: mapped to "tcp.established" PF setting

          So I would like to add a new setting in theses advanced options, something like "simultaneous connection par host", and map it to "max-src-conn" in PF. This would be, for example, a basic way to protect an Apache HTTP server against the "slowloris" attack. According the PF man page, the description of "max-src-conn" is: "Limit the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make"

          This feature has already been discussed 3 years ago, in the following thread : http://forum.pfsense.org/index.php/topic,81.msg3442.html

          In the last message of this thread, Scott Ullrich suggested to work on the GUI and the filter.inc file, and that's why I am trying to build a dev environement to work on this patch.

          Many thanks for your help,
          Pierre

          1 Reply Last reply Reply Quote 0
          • E Offline
            eri--
            last edited by

            It is present in 2.0 that's why i said it is present.

            though all you need is find it on 2.0 code and enter manually in 1.2.3 since its just php modification and you do not need to rebuild the whole system.

            1 Reply Last reply Reply Quote 0
            • P Offline
              ppomes
              last edited by

              Many thanks, I will have a look !

              Pierre

              1 Reply Last reply Reply Quote 0
              • P Offline
                ppomes
                last edited by

                Hi,

                @ermal:

                It is present in 2.0 that's why i said it is present.

                though all you need is find it on 2.0 code and enter manually in 1.2.3 since its just php modification and you do not need to rebuild the whole system.

                I downloaded a 2.0 snapshot (pfSense-2.0-ALPHA-ALPHA-20090923-1117.iso, based on FreeBSD 8.0), and unfortunatly, the feature I talked about (max-src-conn) is not included. There is :

                • marking/matching options (news to 2.0)
                • max-src-node (already in 1.2)
                • max-src-states (already in 1.2)
                • max-src-conn-rates (already in 1.2)
                • state timeout

                However, with your advices, I was able to easily add this feature.

                • For 1.2, in /etc/inc/filter.inc and /usr/local/www/firewall_rules_edit.php
                • For 2.0, in /etc/inc/filter.inc, /usr/local/www/firewall_rules_edit.php, and /usr/local/www/firewall_rules.php

                It is really trivial.

                May it be interresting for the project that I try to submit the patch in rcs.pfsense.org ? (http://devwiki.pfsense.org/SubmittingPatches).

                Best regards,
                Pierre

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.