Date: Thu, 3 May 2012 23:26:41 +0400 (MSK) From: Dmitry Marakasov <amdmi3@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: conf/167566: [rc.d] ipdivert module loading vs. ipfw rc.d order issue Message-ID: <20120503192641.C77AFDED@hades.panopticon> Resent-Message-ID: <201205031930.q43JUDZ5061482@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 167566 >Category: conf >Synopsis: [rc.d] ipdivert module loading vs. ipfw rc.d order issue >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu May 03 19:30:12 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Dmitry Marakasov >Release: FreeBSD 9.0-RELEASE amd64 >Organization: >Environment: System: FreeBSD hades.panopticon 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 10 01:33:18 MSK 2012 root@hades.panopticon:/usr/obj/usr/src/sys/HADES amd64 >Description: 1) if ipfw divert rules are used, ipdivert module must be loaded before rules are added, or ipfw add'ing divert rule will fail 2) ipdivert module is loaded by rc.d/natd 3) there's nothing to make rc.d/natd executed before rc.d/ipfw, and in reality the order is incorrect: % rcorder /etc/rc.d/* | grep -Ee 'ipfw|natd' /etc/rc.d/ipfw /etc/rc.d/natd Thus, someone using natd will run into incomplete ruleset and will have to add ipdivert_load="YES" to /boot/loader.conf Attached patch makes rc.d/natd run before rc.d/ipfw, so the module is automatcally loaded in time. >How-To-Repeat: >Fix: --- rc.d-natd.patch begins here --- diff --git etc/rc.d/natd etc/rc.d/natd index 35f17bb..fcc8920 100755 --- etc/rc.d/natd +++ etc/rc.d/natd @@ -5,6 +5,7 @@ # PROVIDE: natd # KEYWORD: nostart nojail +# BEFORE: ipfw . /etc/rc.subr . /etc/network.subr --- rc.d-natd.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120503192641.C77AFDED>