From owner-freebsd-stable@FreeBSD.ORG Tue Aug 10 18:13:36 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 24C3A106566C for ; Tue, 10 Aug 2010 18:13:36 +0000 (UTC) (envelope-from eugen@eg.sd.rdtc.ru) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [62.231.161.221]) by mx1.freebsd.org (Postfix) with ESMTP id 224758FC1A for ; Tue, 10 Aug 2010 18:13:34 +0000 (UTC) Received: from eg.sd.rdtc.ru (localhost [127.0.0.1]) by eg.sd.rdtc.ru (8.14.4/8.14.4) with ESMTP id o7AHxVGG064403; Wed, 11 Aug 2010 00:59:31 +0700 (NOVST) (envelope-from eugen@eg.sd.rdtc.ru) Received: (from eugen@localhost) by eg.sd.rdtc.ru (8.14.4/8.14.4/Submit) id o7AHxVau064402; Wed, 11 Aug 2010 00:59:31 +0700 (NOVST) (envelope-from eugen) Date: Wed, 11 Aug 2010 00:59:31 +0700 From: Eugene Grosbein To: Alan Hicks Message-ID: <20100810175931.GB63364@rdtc.ru> References: <4C61712E.7030704@p-o.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4C61712E.7030704@p-o.co.uk> User-Agent: Mutt/1.4.2.3i Cc: freebsd-stable@freebsd.org Subject: Re: NAT issue in 8.1 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2010 18:13:36 -0000 On Tue, Aug 10, 2010 at 04:33:02PM +0100, Alan Hicks wrote: > Having upgraded to Release-8.1, there appears to be an issue with > network address translation where a newly booted machine fails to setup > nat with the error 'ipfw: getsockopt(IP_FW_ADD): Invalid argument' That's because your kernel (GENERIC?) does not have ipdivert support enabled. That's not fatal, see later. > > Box has two interfaces em0 and xl0 (Dell PowerEdge 1600SC) > > rc.conf > ifconfig_xl0="inet 192.168.202.5 netmask 255.255.255.0" > ifconfig_em0="inet 192.168.0.2 netmask 255.255.255.0" > defaultrouter="192.168.0.1" > firewall_enable="YES" > firewall_type="open" > firewall_logging="yes" > natd_enable="YES" > natd_interface="em0" > > Boot excerpt from console, typed as it does not make it to > /var/log/messages so apologies for any typo's > > add net default: gateway 192.168.0.1 > Additional routing options: IP gateway=YES > Starting devd. > ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based > forwarding disabled, default to deny, logging disabled > load_dn_sched dn_sched FIFO loaded > load_dn_sched dn_sched QFQ loaded > load_dn_sched dn_sched RR loaded > load_dn_sched dn_sched WF2Q+ loaded > load_dn_sched dn_sched PRIO loaded > flushed all rules. > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 deny ip from any to ::1 > 00500 deny ip from ::1 to any > 00600 allow ipv6-icmp from :: to ff02::/16 > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 > 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 > 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 > ipfw: getsockopt(IP_FW_ADD): Invalid argument At this point, there is still no ipdivert support loaded. > 65000 allow ip from any to any > Firewall rules loaded. > Firewall logging enabled. > Starting natd. At this point, kernel module ipdivert.ko is loaded. > Loading /lib/libalias_cuseeme.so > Loading /lib/libalias_ftp.so > Loading /lib/libalias_irc.so > Loading /lib/libalias_nbt.so > Loading /lib/libalias_pptp.so > Loading /lib/libalias_skinny.so > Loading /lib/libalias_smedia.so > Aug 10 12:02:53 natd[869]: Aliasing to 192.168.0.2, mtu 1500 bytes > > Although all appears to be ok, machines on the xl0 192.168.202.0/24 > subnet can't see the internet. Running /etc/rc.firewall manually fixes > the issue. ipdivert.ko is loaded, hence re-loading firewall rules helps. > > The machine was upgraded from 8.0 using unmodified cvs sources using > buildkernel, buildworld, installworld, installkernel mergemaster. > > Any help appreciated. Just load ipdivert.ko earlies by means of loader.conf: echo 'ipdivert_load="YES"' >> /boot/loader.conf Alternatively, rebuild kernel with options IPFIREWALL and IPDIVERT Eugene Grosbein