From owner-freebsd-questions@FreeBSD.ORG  Fri Apr 13 07:25:40 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id ACED316A400
	for <freebsd-questions@freebsd.org>;
	Fri, 13 Apr 2007 07:25:40 +0000 (UTC)
	(envelope-from jonathan@hst.org.za)
Received: from sirian.hst.org.za (sirian.hst.org.za [209.203.2.130])
	by mx1.freebsd.org (Postfix) with ESMTP id 5D73213C4B8
	for <freebsd-questions@freebsd.org>;
	Fri, 13 Apr 2007 07:25:36 +0000 (UTC)
	(envelope-from jonathan@hst.org.za)
Received: from localhost (localhost.hst.org.za [127.0.0.1])
	by sirian.hst.org.za (Postfix) with ESMTP
	id DF72F31D2F7; Fri, 13 Apr 2007 09:24:37 +0200 (SAST)
Received: from sirian.hst.org.za ([127.0.0.1])
	by localhost (sirian.hst.org.za [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 51523-05; Fri, 13 Apr 2007 09:24:37 +0200 (SAST)
Received: from sysadmin.hst.org.za (sysadmin.int.dbn.hst.org.za [10.1.1.20])
	by sirian.hst.org.za (Postfix) with ESMTP
	id 2277131D2AC; Fri, 13 Apr 2007 09:24:37 +0200 (SAST)
From: Jonathan McKeown <jonathan@hst.org.za>
Organization: Health Systems Trust
To: Terry Todd <tlt@badger.tltodd.com>
Date: Fri, 13 Apr 2007 09:28:05 +0200
User-Agent: KMail/1.7.2
References: <20070403105841.A98763@badger.tltodd.com>
	<200704051620.22407.jonathan@hst.org.za>
	<20070412135824.A82713@badger.tltodd.com>
In-Reply-To: <20070412135824.A82713@badger.tltodd.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200704130928.05581.jonathan@hst.org.za>
X-Virus-Scanned: by amavisd-new at hst.org.za
Cc: freebsd-questions@freebsd.org
Subject: Re: ipfw fwd not working in 6.2-release
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2007 07:25:40 -0000

[Reordered, freebsd-questions re-added]
On Thursday 12 April 2007 20:58, Terry Todd wrote:
> On Thu, Apr 05, 2007 at 04:20:22PM +0200, Jonathan McKeown wrote:
> > On Thursday 05 April 2007 16:01, Jonathan McKeown wrote:
> > > > On Thursday 05 April 2007 15:42, Terry Todd wrote:
> >
> > [ipfw not accepting fwd rules when kernel built with
> > options IPFIREWALL_FORWARD
> > and I agreed, saying]
> >
> > > Has the way ipfw.ko is built changed? Do we need to compile ipfw into
> > > the kernel to use ipfw fwd rules now? Or can I force ipfw.ko to be
> > > rebuilt with forwarding included?
> >
> > I'm on my way home now, but a quick look at the source suggests that
> > unless ipfw.ko is built with this option set, rule-based forwarding is
> > disabled - and indeed this message appears in my boot messages.
> >
> > Presumably the option is not fed to the module during a buildkernel.
> >
> > I'm going to try building just that module with the option set.
>
> Have you made any progress on this?
>
> Thanks,

I must admit I gave up on rebuilding the module. My rationale for using 
ipfw.ko rather than options IPFIREWALL was to reduce the number of custom 
kernels I run (I have several servers throughout South Africa and in London, 
with a central build system). It dawned on me that if I'm using options 
IPFIREWALL_FORWARD I'm already building a custom kernel anyway, so I might as 
well add options IPFIREWALL as well.

That worked.

The alternative seems to be to edit the Makefile for ipfw - which I didn't 
want to do as I'm building multiple kernels for multiple machines on my build 
box. If you're building one kernel on the box it's going to be installed on, 
it looks to me as though the place to start is /sys/modules/ipfw/Makefile, 
which I'm quoting in its entirety as it's a short file:

========
# $FreeBSD: src/sys/modules/ipfw/Makefile,v 1.21.2.2 2006/09/19 15:45:21 csjp 
Exp $

.PATH: ${.CURDIR}/../../netinet

KMOD=   ipfw
SRCS=   ip_fw2.c ip_fw_pfil.c
SRCS+=  opt_inet6.h opt_ipsec.h opt_mac.h

CFLAGS+= -DIPFIREWALL
#
#If you want it verbose
#CFLAGS+= -DIPFIREWALL_VERBOSE
#CFLAGS+= -DIPFIREWALL_VERBOSE_LIMIT=100
#
#If you want it to pass all packets by default
#CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT
#

.if !defined(KERNBUILDDIR)
.if !defined(NO_INET6)
opt_inet6.h:
        echo "#define INET6 1" > ${.TARGET}
.endif
.endif

.include <bsd.kmod.mk>
========

It looks as though you would need to add
CFLAGS += -DIPFIREWALL_FORWARD

to build an ipfw.ko which supports forward rules. You can see quickly whether 
you have succeeded, as ipfw (built-in or loaded as module) puts a line into 
your boot messages which tells you whether ``rule-based forwarding'' is 
enabled or disabled.

This may be more of a question for -hackers than -questions, but I'd be 
interested to know why modules ignore kernel options and whether there's any 
way to change or override that.

Jonathan