Netgate SG-1000 microFirewall

Author Topic: HOWTO: compile kernel with LISP support  (Read 1922 times)

0 Members and 1 Guest are viewing this topic.

Offline kleinem

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
HOWTO: compile kernel with LISP support
« on: May 11, 2016, 04:20:08 am »
Hello everyone,

i'm thinking about exchanging my Cisco ISRs against pfSense appliances.
One of the things currently holding me back is the lack of Locator/Identifier Separation Protocol (LISP) support in pfSense, which i'd really like to see in a future release.
I'm hoping for a lot of potential imitators, testers and feedback on Lisp so we might even get a pfSense package in the future.

I'm a versed *nix sysadmin and user, however i don't have much experience with BSD, kernel hacking or coding.
So if anything is plain wrong or could be improved in this guide, please let me know.
This guide is basically following the Official OpenLisp install guide found on Github [1] and mostly focusing on how to compile LISP support into the kernel,
because i expect anyone reading/doing this being able to compile the associated userland applications without any problems.
Since pfSense seems to make it's own modifications to the BSD kernel, one diff conflict arises. but apart from that, compiling a kernel is no rocket science either.


1) Prerequisites
Since pfSense 2.3 is based on FreeBSD 10.3, you'll need a FreeBSD 10.3 build machine.
1) install and update ports, git, compile libconfig
2) download the pfSense sources and openlisp data-plane from github
3) create a symlink to /usr/src for the pfSense sources, because the lisp install script is looking there by default
As mentioned earlier, pfSense is making its own modifications to the kernel source and uses a custom kernel config aswell.
Therefore /usr/src needs to point to the pfSense modified sources.
Code: [Select]
cd /usr/ports/devel/libconfig
make clean install

cd <workdir>
git --clone --depth 1 --branch master --
git --clone --depth 1 --branch RELENG_2_3 -- pfSense_2.3
ln -s <workdir>/pfSense_2.3 /usr/src

2) patch the kernel
Patching the kernel is easy with the provided "" script.
As mentioned before, you'll run into a diff conflict which you need to resolve manually.
Its important though, that you ignore the warning which the script emits and continue with it.
Code: [Select]
cd data-plane
Trying to find the original file [Y/n]? n
Skip this step and continue (not safe) [y/N]? Y
This conflict needs to be resolved manually:
Code: [Select]
*** 139,144 ****
  #ifdef IPSEC
  int no_route_but_check_spd = 0;
  if (inp != NULL) {
--- 147,158 ----
  #ifdef IPSEC
  int no_route_but_check_spd = 0;
+ + #ifdef LISP
+ struct eidmap *  local_map = NULL;
+ struct eidmap *  remote_map = NULL;
+ #endif /* LISP */
  if (inp != NULL) {

3) compile the kernel
At last, we need to add LISP support to the pfSense kernel config, compile it, and make a Kernel package. (assuming amd64 here)
The result will be a /kernel.txz file which you can install on a pfSense 2.3 machine.
Code: [Select]
echo "options LISP" >> /usr/src/sys/amd64/conf/pfSense
cd /usr/src
make buildkernel KERNCONF=pfSense
make distributekernel KERNCONF=pfSense INSTKERNNAME=pfSense-2.3_lisp
make packagekernel KERNCONF=pfSense INSTKERNNAME=pfSense-2.3_lisp

4) userland applications
Two problems i've encountered while compiling userland
1) 'mapstat' needs to be compiled without IPX support to run on pfsense 'make -DWITHOUT_IPX_SUPPORT'
2) 'opencp' needs to be compiled using clang on FreeBSD10.3 so 'make CC=clang'
« Last Edit: May 11, 2016, 04:25:23 am by kleinem »


  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: HOWTO: compile kernel with LISP support
« Reply #1 on: January 21, 2017, 03:31:44 pm »
So is LISP support baked in to standard pfSense by now?

Offline DRago_Angel

  • Jr. Member
  • **
  • Posts: 68
  • Karma: +4/-0
    • View Profile
Re: HOWTO: compile kernel with LISP support
« Reply #2 on: May 02, 2017, 12:41:42 pm »
This topic has been readen 1177 times. It means that many people interested in this technology, really good thing to drop NPt away in IPv6 Multihoming.