diff --git a/sbin/ipf/Makefile b/sbin/ipf/Makefile --- a/sbin/ipf/Makefile +++ b/sbin/ipf/Makefile @@ -1,5 +1,10 @@ +.include + SUBDIR= libipf .WAIT -SUBDIR+= ipf ipfs ipfstat ipmon ipnat ippool +SUBDIR+= ipf ipfstat ipmon ipnat ippool +.if ${MK_IPFILTER_IPFS} != "no" +SUBDIR+= ipfs +.endif # XXX Temporarily disconnected. # SUBDIR+= ipftest ipresend ipsend SUBDIR_PARALLEL= diff --git a/share/mk/src.opts.mk b/share/mk/src.opts.mk --- a/share/mk/src.opts.mk +++ b/share/mk/src.opts.mk @@ -209,6 +209,7 @@ DTRACE_TESTS \ EXPERIMENTAL \ HESIOD \ + IPFILTER_IPFS \ LOADER_VERBOSE \ LOADER_VERIEXEC_PASS_MANIFEST \ LLVM_FULL_DEBUGINFO \ diff --git a/sys/conf/NOTES b/sys/conf/NOTES --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -1046,6 +1046,7 @@ options IPFILTER_LOG #ipfilter logging options IPFILTER_LOOKUP #ipfilter pools options IPFILTER_DEFAULT_BLOCK #block all packets by default +options IPFILTER_IPFS #enable experimental ipfs(8) support options IPSTEALTH #support for stealth forwarding options PF_DEFAULT_TO_DROP #drop everything by default options TCP_BLACKBOX diff --git a/sys/conf/options b/sys/conf/options --- a/sys/conf/options +++ b/sys/conf/options @@ -449,6 +449,7 @@ IPFILTER_DEFAULT_BLOCK opt_ipfilter.h IPFILTER_LOG opt_ipfilter.h IPFILTER_LOOKUP opt_ipfilter.h +IPFILTER_IPFS opt_ipfilter.h IPFIREWALL opt_ipfw.h IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h IPFIREWALL_NAT opt_ipfw.h diff --git a/sys/modules/ipfilter/Makefile b/sys/modules/ipfilter/Makefile --- a/sys/modules/ipfilter/Makefile +++ b/sys/modules/ipfilter/Makefile @@ -1,3 +1,5 @@ +.include + .PATH: ${SRCTOP}/sys/netpfil/ipfilter/netinet KMOD= ipl @@ -9,6 +11,11 @@ CFLAGS+= -I${SRCTOP}/sys/netpfil/ipfilter CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DIPFILTER_LOOKUP + +.if ${MK_IPFILTER_IPFS} != "no" +CFLAGS+= -DIPFILTER_IPFS +.endif + # # If you don't want log functionality remove -DIPFILTER_LOG # diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c --- a/sys/netpfil/ipfilter/netinet/ip_nat.c +++ b/sys/netpfil/ipfilter/netinet/ip_nat.c @@ -1337,6 +1337,7 @@ error = ipf_proxy_ioctl(softc, data, cmd, mode, ctx); break; +#ifdef IPFILTER_IPFS case SIOCSTLCK : if (!(mode & FWRITE)) { IPFERROR(60015); @@ -1372,6 +1373,7 @@ error = EACCES; } break; +#endif /* IPFILTER_IPFS */ case SIOCGENITER : { @@ -1679,7 +1681,7 @@ } } - +#ifdef IPFILTER_IPFS /* ------------------------------------------------------------------------ */ /* Function: ipf_nat_getsz */ /* Returns: int - 0 == success, != 0 is the error value. */ @@ -2247,6 +2249,7 @@ } return (error); } +#endif /* IPFILTER_IPFS */ /* ------------------------------------------------------------------------ */ diff --git a/sys/netpfil/ipfilter/netinet/ip_state.c b/sys/netpfil/ipfilter/netinet/ip_state.c --- a/sys/netpfil/ipfilter/netinet/ip_state.c +++ b/sys/netpfil/ipfilter/netinet/ip_state.c @@ -709,6 +709,7 @@ IPFOBJ_STATESTAT); break; +#ifdef IPFILTER_IPFS /* * Lock/Unlock the state table. (Locking prevents any changes, which * means no packets match). @@ -745,6 +746,7 @@ } error = ipf_state_getent(softc, softs, data); break; +#endif /* IPFILTER_IPFS */ case SIOCGENITER : { @@ -801,6 +803,7 @@ } +#ifdef IPFILTER_IPFS /* ------------------------------------------------------------------------ */ /* Function: ipf_state_getent */ /* Returns: int - 0 == success, != 0 == failure */ @@ -1005,6 +1008,7 @@ return (error); } +#endif /* IPFILTER_IPFS */ /* ------------------------------------------------------------------------ */ diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/OptionalObsoleteFiles.inc --- a/tools/build/mk/OptionalObsoleteFiles.inc +++ b/tools/build/mk/OptionalObsoleteFiles.inc @@ -2627,6 +2627,10 @@ OLD_FILES+=usr/share/man/man8/ippool.8.gz .endif +.if ${MK_IPFILTER_IPFS} == no +OLD_FILES+=sbin/ipfs +.endif + .if ${MK_IPFW} == no OLD_FILES+=etc/rc.d/ipfw OLD_FILES+=etc/rc.d/natd