IP Filter FAQ

XI. IP FILTER AND NETBSD

1. How do I upgrade IP Filter on NetBSD?
   
2. How do I get IPF working with IPv6 in NetBSD?
   
3. I'm getting messages about "no more space for rules" -- and I have a large ruleset. What do I do?
   

1. How do I upgrade IP Filter on NetBSD?
   

   Upgrade IP Filter kernel source and build/install new binaries. In the IP Filter source directory:
   ./BSD/kupgrade
make netbsd
make install-bsd
Recompile the kernel with new version of IP Filter:
   cd /sys/arch/`uname -m`/conf
config mykernel
cd ../compile/mykernel
make depend
make
mv /netbsd /netbsd.old
mv netbsd /netbsd
Reboot, and you should be all set.

2. How do I get IPF working with IPv6 in NetBSD?
   

   NetBSD 1.5.3 onwards support ipfilter with IPv6 out of the box. Simply place your rulesets in /etc/ipf6.conf and run /etc/rc.d/ipfilter reload to activate. You will also need to have IPv6 enabled in the kernel, the key directive is "options INET6". See NetBSD documentation on compiling a custom kernel if you are having problems with this.

3. I'm getting messages about "no more space for rules" -- and I have a large ruleset. What do I do?
   

   You need to increase the VM kernel allocation. Compile a custom kernel and increase the vm.nkmempages value. The default is 4096, and doubling it should be more than ample for very large rulesets. Thanks to Gene.