Subject: kern/7264: kernel examples that include ipfilter should inlucde IPFILTER_LOG
To: None <gnats-bugs@gnats.netbsd.org>
From: None <woods@mail.weird.com>
List: netbsd-bugs
Date: 03/27/1999 12:28:31
>Number: 7264
>Category: kern
>Synopsis: kernel examples that include ipfilter should inlucde IPFILTER_LOG
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people (Kernel Bug People)
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Sat Mar 27 09:35:01 1999
>Last-Modified:
>Originator: Greg A. Woods
>Organization:
Planix, Inc.; Toronto, Ontario; Canada
>Release: NetBSD-current Fri Mar 26 08:25:14 EST 1999
>Environment:
>Description:
All kernels, particularly "GENERIC" configurations, which
include "pseudo-device ipfilter" should also include the most
useful "options IPFILTER_LOG".
A commented out "#options IPFILTER_DEFAULT_BLOCK" might also be
added too.
(Actually I've always thought IPFILTER_LOG should be the default
and there should only be a little used _NOLOG option for those
peple who really know what they are doing and who really know
that they don't need/want the logging feature to work. In any
case this is certainly something that's very surprising to find
missing from a "GENERIC" kernel that's got ipfilter in it.)
>How-To-Repeat:
fgrep -i ipfilter /usr/src/sys/arch/*/GENERIC
>Fix:
edit all configs to make things a bit more consistent and
complete.
(only amiga, sparc64k and x68k are complete now)
consider adding ipfilter to the GENERIC configurations for those
architectures that don't yet have it turned on by default
(arm32, newsmips, sun3)
I have also been working on some patches for ipmon so that it
would print and/or log a message and perhaps die to indicate
that logging wasn't enabled instead of just sitting there like a
big dummy and saying nothing, but they're not ready yet.
>Audit-Trail:
>Unformatted: