Date: Mon, 5 Nov 2001 14:35:26 -0800 From: "Crist J. Clark" <cristjc@earthlink.net> To: Nick Rogness <nick@rogness.net> Cc: David Kelly <dkelly@hiwaay.net>, Jason Cribbins <jasonc@concentric.net>, questions@FreeBSD.ORG Subject: Re: Unable to get natd/ipfw to work properly Message-ID: <20011105143526.A745@blossom.cjclark.org> In-Reply-To: <Pine.BSF.4.21.0111051225520.24520-100000@cody.jharris.com>; from nick@rogness.net on Mon, Nov 05, 2001 at 12:34:21PM -0600 References: <20011104231746.D325@blossom.cjclark.org> <Pine.BSF.4.21.0111051225520.24520-100000@cody.jharris.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 05, 2001 at 12:34:21PM -0600, Nick Rogness wrote:
> On Sun, 4 Nov 2001, Crist J. Clark wrote:
>
> > > > You must build IPDIVERT into the kernel
> > > > manually as there is no klm for DIVERT and it is not part of
> > > > ipfw.ko. Or at least it wasn't before 4.4-R.
>
> > > OK, then that would be a nice simple little thing for somebody to
> > > contribute to /etc/rc.network. The script knows if it has to kldload
> > > ipfw, and if it loaded from kld then is there any chance IPDIVERT
> > > will work? If not, then a verbose warning would be nice if such were
> > > attempted.
>
> >
> > There is nothing stopping someone from adding IPDIVERT to their
> > ipfw.ko module. Edit src/sys/modules/ipfw/Makefile.
>
> Maybe it would be nice to have 2 ipfw klm's. 1 that has just the
> basic functionality (ipfw.ko) and a second module, say
> ipfw-plus.ko, that has IPDIVERT, Forwarding, etc.
>
> Then the rc scripts could load the appropriate one on boot.
>
> Just a thought. I don't think it would be difficult to do, just a
> matter if people want it or not.
Well, there are some "issues" with IPDIVERT. If you build a firewall
module with IPDIVERT and load it into a kernel that was not built with
IPDIVERT, it won't work. But you _can_ do it if the kernel had
IPDIVERT, but did not have any IPFIREWALL options set (like the poster
in this thread did). The divert(4) code does not just live in the
firewall code, but elsewhere in the kernel (e.g. ip_input.c,
ip_output.c) too.
But back to the original point, I am not sure a more verbose message
is needed. Isn't,
IP packet filtering initialized, divert disabled, rule-based forwarding disabled, default to deny, logging limited to 1000 packets/entry by default
^^^^^^^^^^^^^^^
Enough?
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011105143526.A745>