What could cause ipl.ko not to autoload on FreeBSD 9.1-RELEASE?

[ShelLuser]

Hi gang,

Because I'm quite familiar with SunOS and ipfilter I figured that's a good way to start. I checked the FreeBSD handbook and followed the firewall IPF section.

I enabled ipf in /etc/rc.conf as follows:

# IPF firewall
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf/ipf.conf"
ipmon_enable="YES"
ipmon_flags="-Ds"       # D; daemon, s; syslog, v; log tcp/ack/seq, n; names

Yet whenever I tried to check the status by using # ipf -V it would show an error saying:

open device: No such file or directory

I traced this back to the kernel module not getting automatically loaded, here is the current status:

peter@smtp2:/etc % kldstat
Id Refs Address            Size     Name
 1   20 0xffffffff80200000 1323388  kernel
 2    1 0xffffffff81524000 2084f8   zfs.ko
 3    2 0xffffffff8172d000 5c68     opensolaris.ko
 4    5 0xffffffff81734000 4e38     virtio.ko
 5    1 0xffffffff81739000 5868     virtio_pci.ko
 6    1 0xffffffff8173f000 52d8     virtio_blk.ko
 7    1 0xffffffff81745000 ad80     if_vtnet.ko
 8    1 0xffffffff81750000 31f8     virtio_balloon.ko

...which I get to see when using # kldstat.

Even though I already solved this problem (in a test scenario using # kldload ipl, or by adding ipl_load="YES" to /boot/loader.conf) I want to know and understand what's going on here.

I think that I can rule out config issues because even if I only enable the option

ipfilter_enable="YES"

in /etc/rd.conf and then manually restart the ipfilter service using # /etc/rc.d/ipfilter restart it doesn't complain about options in rc.conf nor does it fully enable ipfilter (by loading ipl.ko).

Is this something I'm overlooking or does the handbook make false assumptions?

 

[break19]

Add it to /boot/loader.conf.

 

[ShelLuser]

Add it to /boot/loader.conf.

Add what? But even more important to me: why?

As you can see above I already determined that I should automatically load the kernel module manually, that's not the nature of my question. I want to understand why it is so, considering that the manual (FreeBSD handbook) states otherwise (it suggests that autoloading takes place).

 

[ShelLuser]

Well, it took me a while but I finally figured some of it out.

As it turns out there is a difference in kernel modules, some can be automatically loaded and some cannot. According to what I've read so far; the modules which provide support for firewalls cannot be auto loaded.

From what I read this behaviour seems to depend on both the kernel module but also the application which tries to utilize whatever functionality the module provides. In other words: commands like zfs and zpool will automatically load the required modules to provide ZFS support (zfs.ko and opensolaris.ko) whereas ipf does not (this requires ipl.ko or embedded support).

This is not the exact and complete story, but what I managed to read up on which sort of satisfied my curiosity.