FreeBSD Homepage: Crist J. Clark

Patches

These patches are not actively maintained. They worked when I wrote them. Changes to FreeBSD may have been made since which cause them to not apply cleanly or even break things. If you do encounter problems, feel free to contact me, cjc@freebsd.org, and I may be able to help. I will at least remove the patch or add appropriate warnings to this page.

To use a patch,

1. Download the one of the patch file links below.
2. Change to the base of your source directory, ususally, /usr/src,

   # cd /usr/src
   

3. Patch your source,

   # patch < patchfile
   
   

4. Build the new code. I have tried to add notes about what needs to be built with each patch.

• IPFilter Bridging - March 28, 2002

  This patch allows IPFilter to filter the packets passing through a FreeBSD system running as a bridge(4). The ipf(8) bridging works analogously to ipfw(8) bridging. Only input packets are filtered. To enable ipf(8) bridge filtering,

  # sysctl net.link.ether.bridge_ipf=1
  
  

  IPFilter bridging support is included in 5-CURRENT and 4-STABLE. For 4.6-RELEASE and before, this patch must be applied to the kernel source. In 4-STABLE, IPFilter bridging does work as a kld(4), part of bridge.ko.

• IPFW Logging Extensions - November 2, 2001

  This adds additional logging capabilities to logs generated by ipfw(8). The DIFSERV, TTL, and IP ID fields of logged IP packets appear in the logs when the 2-bit of the net.inet.ip.fw.verbose sysctl(8) variable is set. For example,

  # sysctl -w net.inet.ip.fw.verbose=2
  
  

  Will print information about the IP layer. When the 4-bit of net.inet.ip.fw.verbose is set, additional information on TCP segments will be printed, the TCP flags (f), sequence number (s), and aknowledgement number (a). IPFIREWALL_VERBOSE and obviously, IPFIREWALL must be enabled in your kernel configuration for these to work. Patches for 5.0-CURRENT and 4.4-STABLE. Rebuild and install the new kernel after applying the changes.

• IPFW Lifetime - November 2, 2001

  This patches allows a per-rule lifetime to be specified for keep-state rules. Documentation changes to the manpage is included in the patch. See your new ipfw(8) page to see how it works. IPFIREWALL must be enabled in your kernel configuration for it to work. Patch for 5.0-CURRENT. Rebuild and install the new kernel after applying the changes.

• NO_KLD - October 4, 2001

  These simple patches cause the kldload(2) syscall to always fail with EPERM ("permission denied"). Just to be thorough, they also disable kldunload(2). WARNING: This prevents someone from using the convenient KLD interface to hook code into the running kernel, it does not stop someone from modifying the running kernel (through /dev/mem), or from putting a modified kernel (like one that allows KLDs, eep!) on your hard drive and rebooting the box. You are much better off trying securelevel(8) since it helps with these other issues. With those caveats, here are the patches for 5.0-CURRENT and for 4.4-STABLE. Rebuild and install the new kernel after applying the changes.