RELENG_1_2 - Kernel Build issue ?



  • Hi all,

    I would like to add a new feature (max-src-conn, to limit the number of connection per source IP, I need it) to pfsense, and I am trying to create a dev environment using instructions http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso.

    I found in the support mailing list an email from Scott saying freebsd 7.0 and 7.1 were no longer used for pfsense RELENG_1_2.  So I followed instructions from the wiki page, but from a freebsd 7.2 system.

    Instead of using the curses menu, I used :
    ./set_version.sh RELENG_1_2 cvsup2.ca.freebsd.org
    ./apply_kernel_patches.sh (no patch was rejected)
    ./build_iso.sh

    After a while, the process finished on :

    Making sure we are in the right branch… [OK] (RELENG_1_2)
    Creating tarball of checked out contents…Done!
    Preparing object directory...
    Building world and kernels for ISO... 7  RELENG_7_2 ...
    Building world for i386 architecture...
    World build started on Mon Sep 21 18:07:16 EDT 2009
    Rebuilding the temporary build tree
    stage 1.1: legacy release compatibility shims
    stage 1.2: bootstrap tools
    stage 2.2: rebuilding the object tree
    stage 2.3: build tools
    stage 3: cross tools
    stage 4.1: building includes
    stage 4.2: building libraries
    stage 4.3: make dependencies
    stage 4.4: building everything
    World build completed on Mon Sep 21 19:18:30 EDT 2009
    Ensuring that the btxld problem does not happen on subsequent runs...
    Installing world for i386 architecture...
    Making hierarchy
    Installing everything
    Building all extra kernels... 7  RELENG_7_2 ...
    Not adding D-Trace to Developers Kernel...
    Building uniprocessor kernel...
    KERNCONFDIR: /usr/pfSensesrc/src/sys/i386/conf
    ARCH:        i386
    SRC_CONF:    src.conf.7
    Kernel build for pfSense.7 started on Mon Sep 21 19:22:50 EDT 2009
    stage 1: configuring the kernel
    Something went wrong, check errors!
    Log saved on /usr/obj.pfSense/usr/home/pfsense/freesbie2/.tmp_buildkernel
    WARNING: duplicate option DEV_UARK' encountered. WARNING: duplicate deviceuark' encountered.
    WARNING: duplicate option DEV_UFTDI' encountered. WARNING: duplicate deviceuftdi' encountered.
    WARNING: duplicate option DEV_UVSCOM' encountered. WARNING: duplicate deviceuvscom' encountered.
    WARNING: duplicate option DEV_UFOMA' encountered. WARNING: duplicate deviceufoma' encountered.
    WARNING: duplicate option DEV_ALE' encountered. WARNING: duplicate deviceale' encountered.
    WARNING: duplicate option DEV_ET' encountered. WARNING: duplicate deviceet' encountered.
    WARNING: duplicate option DEV_ED' encountered. WARNING: duplicate deviceed' encountered.
    WARNING: duplicate option DEV_IGB' encountered. WARNING: duplicate deviceigb' encountered.
    WARNING: duplicate option `SYSVSEM' encountered.
    /usr/pfSensesrc/src/sys/i386/conf/pfSense.7: unknown option "ALTQ_FAIRQ"
    *** Error code 1
    1 error
    *** Signal 15

    So I have an issue when the kernet is compiling. The log file is :


    Kernel build for pfSense.7 started on Mon Sep 21 19:59:37 EDT 2009


    ===> pfSense.7
    mkdir -p /usr/obj.pfSense/usr/pfSensesrc/src/sys

    stage 1: configuring the kernel


    cd /usr/pfSensesrc/src/sys/i386/conf;  PATH=/usr/obj.pfSense/usr/pfSensesrc/src/tmp/legacy/usr/sbin:/usr/obj.pfSense/usr/pfSensesrc/src/tmp/legacy/usr/bin:/usr/obj.pfSense/usr/pfSensesrc/src/tmp/legacy/usr/games:/usr/obj.pfSense/usr/pfSensesrc/src/tmp/usr/sbin:/usr/obj.pfSense/usr/pfSensesrc/src/tmp/usr/bin:/usr/obj.pfSense/usr/pfSensesrc/src/tmp/usr/games:/sbin:/bin:/usr/sbin:/usr/bin  config  -d /usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense.7  /usr/pfSensesrc/src/sys/i386/conf/pfSense.7
    WARNING: duplicate option SCHED_ULE' encountered. WARNING: duplicate optionGEOM_LABEL' encountered.
    WARNING: duplicate option DEV_WLAN' encountered. WARNING: duplicate devicewlan' encountered.
    WARNING: duplicate option DEV_WLAN_WEP' encountered. WARNING: duplicate devicewlan_wep' encountered.
    WARNING: duplicate option DEV_WLAN_CCMP' encountered. WARNING: duplicate devicewlan_ccmp' encountered.
    WARNING: duplicate option DEV_WLAN_TKIP' encountered. WARNING: duplicate devicewlan_tkip' encountered.
    WARNING: duplicate option DEV_WLAN_AMRR' encountered. WARNING: duplicate devicewlan_amrr' encountered.
    WARNING: duplicate option DEV_WLAN_SCAN_AP' encountered. WARNING: duplicate devicewlan_scan_ap' encountered.
    WARNING: duplicate option DEV_WLAN_SCAN_STA' encountered. WARNING: duplicate devicewlan_scan_sta' encountered.
    WARNING: duplicate option DEV_ATH' encountered. WARNING: duplicate deviceath' encountered.
    WARNING: duplicate option DEV_ATH_HAL' encountered. WARNING: duplicate deviceath_hal' encountered.
    WARNING: duplicate option AH_SUPPORT_AR5416' encountered. WARNING: duplicate optionDEV_ATH_RATE_SAMPLE' encountered.
    WARNING: duplicate device ath_rate_sample' encountered. WARNING: duplicate optionDEV_AN' encountered.
    WARNING: duplicate device an' encountered. WARNING: duplicate optionDEV_AWI' encountered.
    WARNING: duplicate device awi' encountered. WARNING: duplicate optionDEV_RAL' encountered.
    WARNING: duplicate device ral' encountered. WARNING: duplicate optionDEV_WI' encountered.
    WARNING: duplicate device wi' encountered. WARNING: duplicate optionDEV_BPF' encountered.
    WARNING: duplicate device bpf' encountered. WARNING: duplicate optionDEV_UBSA' encountered.
    WARNING: duplicate device ubsa' encountered. WARNING: duplicate optionDEV_UCOM' encountered.
    WARNING: duplicate device ucom' encountered. WARNING: duplicate optionDEV_UPLCOM' encountered.
    WARNING: duplicate device uplcom' encountered. WARNING: duplicate optionDEV_UBSA' encountered.
    WARNING: duplicate device ubsa' encountered. WARNING: duplicate optionDEV_UVISOR' encountered.
    WARNING: duplicate device uvisor' encountered. WARNING: duplicate optionDEV_UARK' encountered.
    WARNING: duplicate device uark' encountered. WARNING: duplicate optionDEV_UFTDI' encountered.
    WARNING: duplicate device uftdi' encountered. WARNING: duplicate optionDEV_UVSCOM' encountered.
    WARNING: duplicate device uvscom' encountered. WARNING: duplicate optionDEV_UFOMA' encountered.
    WARNING: duplicate device ufoma' encountered. WARNING: duplicate optionDEV_ALE' encountered.
    WARNING: duplicate device ale' encountered. WARNING: duplicate optionDEV_ET' encountered.
    WARNING: duplicate device et' encountered. WARNING: duplicate optionDEV_ED' encountered.
    WARNING: duplicate device ed' encountered. WARNING: duplicate optionDEV_IGB' encountered.
    WARNING: duplicate device igb' encountered. WARNING: duplicate optionSYSVSEM' encountered.
    /usr/pfSensesrc/src/sys/i386/conf/pfSense.7: unknown option "ALTQ_FAIRQ"
    *** Error code 1
    1 error

    May someone also has this issue ?

    Regards,
    Pierre



  • That feature is under Advanced option in Firewall->Rules you do not need to build a new pfSense iso.



  • Hi Ermal,

    @ermal:

    That feature is under Advanced option in Firewall->Rules you do not need to build a new pfSense iso.

    Thanks for your reply, but I do not think we are talking about the same feature. In "advanced options" of firewall rules, there is:

    • Simultaneous client connection limit: this a "global setting", which appllies to all incoming tcp connections. So this is not "per host". In PF, this setting is mapped to "max-src-nodes"

    • Maximum state entries per host: this one is per host, but all states of a tcp connection are matched. In PF, this settings is mapped to "max-src-states"

    • Maximum new connections / per second: connection rate, mapped to "max-conn-rate" PF setting

    • State timeout: mapped to "tcp.established" PF setting

    So I would like to add a new setting in theses advanced options, something like "simultaneous connection par host", and map it to "max-src-conn" in PF. This would be, for example, a basic way to protect an Apache HTTP server against the "slowloris" attack. According the PF man page, the description of "max-src-conn" is: "Limit the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make"

    This feature has already been discussed 3 years ago, in the following thread : http://forum.pfsense.org/index.php/topic,81.msg3442.html

    In the last message of this thread, Scott Ullrich suggested to work on the GUI and the filter.inc file, and that's why I am trying to build a dev environement to work on this patch.

    Many thanks for your help,
    Pierre



  • It is present in 2.0 that's why i said it is present.

    though all you need is find it on 2.0 code and enter manually in 1.2.3 since its just php modification and you do not need to rebuild the whole system.



  • Many thanks, I will have a look !

    Pierre



  • Hi,

    @ermal:

    It is present in 2.0 that's why i said it is present.

    though all you need is find it on 2.0 code and enter manually in 1.2.3 since its just php modification and you do not need to rebuild the whole system.

    I downloaded a 2.0 snapshot (pfSense-2.0-ALPHA-ALPHA-20090923-1117.iso, based on FreeBSD 8.0), and unfortunatly, the feature I talked about (max-src-conn) is not included. There is :

    • marking/matching options (news to 2.0)
    • max-src-node (already in 1.2)
    • max-src-states (already in 1.2)
    • max-src-conn-rates (already in 1.2)
    • state timeout

    However, with your advices, I was able to easily add this feature.

    • For 1.2, in /etc/inc/filter.inc and /usr/local/www/firewall_rules_edit.php
    • For 2.0, in /etc/inc/filter.inc, /usr/local/www/firewall_rules_edit.php, and /usr/local/www/firewall_rules.php

    It is really trivial.

    May it be interresting for the project that I try to submit the patch in rcs.pfsense.org ? (http://devwiki.pfsense.org/SubmittingPatches).

    Best regards,
    Pierre


Log in to reply