Date: Fri, 13 Apr 2007 09:28:05 +0200 From: Jonathan McKeown <jonathan@hst.org.za> To: Terry Todd <tlt@badger.tltodd.com> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw fwd not working in 6.2-release Message-ID: <200704130928.05581.jonathan@hst.org.za> In-Reply-To: <20070412135824.A82713@badger.tltodd.com> References: <20070403105841.A98763@badger.tltodd.com> <200704051620.22407.jonathan@hst.org.za> <20070412135824.A82713@badger.tltodd.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[Reordered, freebsd-questions re-added]
On Thursday 12 April 2007 20:58, Terry Todd wrote:
> On Thu, Apr 05, 2007 at 04:20:22PM +0200, Jonathan McKeown wrote:
> > On Thursday 05 April 2007 16:01, Jonathan McKeown wrote:
> > > > On Thursday 05 April 2007 15:42, Terry Todd wrote:
> >
> > [ipfw not accepting fwd rules when kernel built with
> > options IPFIREWALL_FORWARD
> > and I agreed, saying]
> >
> > > Has the way ipfw.ko is built changed? Do we need to compile ipfw into
> > > the kernel to use ipfw fwd rules now? Or can I force ipfw.ko to be
> > > rebuilt with forwarding included?
> >
> > I'm on my way home now, but a quick look at the source suggests that
> > unless ipfw.ko is built with this option set, rule-based forwarding is
> > disabled - and indeed this message appears in my boot messages.
> >
> > Presumably the option is not fed to the module during a buildkernel.
> >
> > I'm going to try building just that module with the option set.
>
> Have you made any progress on this?
>
> Thanks,
I must admit I gave up on rebuilding the module. My rationale for using
ipfw.ko rather than options IPFIREWALL was to reduce the number of custom
kernels I run (I have several servers throughout South Africa and in London,
with a central build system). It dawned on me that if I'm using options
IPFIREWALL_FORWARD I'm already building a custom kernel anyway, so I might as
well add options IPFIREWALL as well.
That worked.
The alternative seems to be to edit the Makefile for ipfw - which I didn't
want to do as I'm building multiple kernels for multiple machines on my build
box. If you're building one kernel on the box it's going to be installed on,
it looks to me as though the place to start is /sys/modules/ipfw/Makefile,
which I'm quoting in its entirety as it's a short file:
========
# $FreeBSD: src/sys/modules/ipfw/Makefile,v 1.21.2.2 2006/09/19 15:45:21 csjp
Exp $
.PATH: ${.CURDIR}/../../netinet
KMOD= ipfw
SRCS= ip_fw2.c ip_fw_pfil.c
SRCS+= opt_inet6.h opt_ipsec.h opt_mac.h
CFLAGS+= -DIPFIREWALL
#
#If you want it verbose
#CFLAGS+= -DIPFIREWALL_VERBOSE
#CFLAGS+= -DIPFIREWALL_VERBOSE_LIMIT=100
#
#If you want it to pass all packets by default
#CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT
#
.if !defined(KERNBUILDDIR)
.if !defined(NO_INET6)
opt_inet6.h:
echo "#define INET6 1" > ${.TARGET}
.endif
.endif
.include <bsd.kmod.mk>
========
It looks as though you would need to add
CFLAGS += -DIPFIREWALL_FORWARD
to build an ipfw.ko which supports forward rules. You can see quickly whether
you have succeeded, as ipfw (built-in or loaded as module) puts a line into
your boot messages which tells you whether ``rule-based forwarding'' is
enabled or disabled.
This may be more of a question for -hackers than -questions, but I'd be
interested to know why modules ignore kernel options and whether there's any
way to change or override that.
Jonathan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200704130928.05581.jonathan>