From owner-freebsd-bugs@FreeBSD.ORG  Sun Jul 25 13:30:07 2010
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 83C9A106567A
	for <freebsd-bugs@hub.freebsd.org>;
	Sun, 25 Jul 2010 13:30:07 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 6DD4C8FC24
	for <freebsd-bugs@hub.freebsd.org>;
	Sun, 25 Jul 2010 13:30:07 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o6PDU79W077510
	for <freebsd-bugs@freefall.freebsd.org>; Sun, 25 Jul 2010 13:30:07 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o6PDU7w5077504;
	Sun, 25 Jul 2010 13:30:07 GMT (envelope-from gnats)
Resent-Date: Sun, 25 Jul 2010 13:30:07 GMT
Resent-Message-Id: <201007251330.o6PDU7w5077504@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Fmyoen <fmyoen@gmail.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B3C80106566C
	for <freebsd-gnats-submit@FreeBSD.org>;
	Sun, 25 Jul 2010 13:29:30 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id C832C8FC1A
	for <freebsd-gnats-submit@FreeBSD.org>;
	Sun, 25 Jul 2010 13:29:30 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o6PDTUVO031770
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 Jul 2010 13:29:30 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o6PDTUEZ031768;
	Sun, 25 Jul 2010 13:29:30 GMT (envelope-from nobody)
Message-Id: <201007251329.o6PDTUEZ031768@www.freebsd.org>
Date: Sun, 25 Jul 2010 13:29:30 GMT
From: Fmyoen <fmyoen@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: misc/148928: Problem with loading of ipfw NAT rules during system
	startup
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Jul 2010 13:30:07 -0000


>Number:         148928
>Category:       misc
>Synopsis:       Problem with loading of ipfw NAT rules during system startup
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jul 25 13:30:06 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Fmyoen
>Release:        8.1-RELEASE
>Organization:
Fmyoen
>Environment:
FreeBSD ... 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010     root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
It looks like during system startup (in some setups?) ipdivet.ko kernel module loads later than the default /etc/rc.firewall script executes, and thus script fails to properly add NAT related ipfw rules. In my case it was this rule:

  if [ -n "${natd_interface}" ]; then
    ${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
  fi

This results in:

  ipfw: getsockopt(IP_FW_ADD): Invalid argument

So after every reboot I should manually run sh /etc/rc.firewall to flush and add ipfw rules once again. I've got this problem at least on two my PCs and at least one guy has similar problem as reported here http://www.opennet.ru/openforum/vsluhforumID3/69154.html#26.

Here is parts of my configuration files although I doubt it would help:

rc.conf:

  ifconfig_vr1="dhcp"
  gateway_enable="YES"

  # IPFW
  firewall_enable="YES"
  firewall_type="OPEN"

  # NAT
  natd_program="/sbin/natd"
  natd_enable="YES"
  natd_interface="vr1"
  natd_flags="-m"

sysctl.conf:

  net.inet.ip.fw.one_pass=0
>How-To-Repeat:
Reboot PC.
>Fix:
echo 'ipdivert_load="YES"' >> /boot/loader.conf causes normal rule execution during startup.

>Release-Note:
>Audit-Trail:
>Unformatted: