Date: Tue, 8 Mar 2011 01:00:05 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Thomas Sandford <freebsduser@paradisegreen.co.uk> Cc: freebsd-ipfw@freebsd.org, freebsd-stable@freebsd.org, Dave Johnson <ctfreebsd@gmail.com> Subject: Re: Kernel Update / IPFW not working Message-ID: <20110308001102.W68517@sola.nimnet.asn.au> In-Reply-To: <4D74C296.70204@paradisegreen.co.uk> References: <AANLkTimYYknQEpq63gS2vkx%2BEnashoqBGfG78-BBeayC@mail.gmail.com> <4D74C296.70204@paradisegreen.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 7 Mar 2011, Thomas Sandford wrote: > On 06/03/2011 14:23, Dave Johnson wrote: > > An IPFW problem when going from release to stable on 8.2 > > > > An help gladly accepted > > > > LOG ON > > > > Flushed all rules. > > 00010 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 > > 00030 divert 8668 ip from any to any via bge0 > > ipfw: getsockopt(IP_FW_ADD): Invalid argument > > 50000 allow ip from any to any > > Firewall rules loaded. > > Starting natd. > > > > rc.conf > > defaultrouter="192.168.0.1" > > gateway_enable="YES" > > hostname="xxx.xxx.xxx" > > ifconfig_bge0="inet 192.168.0.11 netmask 255.255.255.0" > > ifconfig_em0="inet 192.168.1.2 netmask 255.255.255.0" > > keymap="us.iso" > > moused_enable="YES" > > sshd_enable="YES" > > firewall_enable="YES" > > firewall_script="/etc/rc.firewall" > > natd_program="/sbin/natd" > > natd_enable="YES" > > natd_interface="bge0" > > natd_flags="-f /etc/natd.conf" > > dhcpd_enable="NO" > > dhcpd_flags="-q" > > dhcpd_conf="/usr/local/etc/dhcpd.conf" > > dhcpd_ifaces="em0" > > dhcpd_withumask="022" > > > > ... [additional config which doesn't further isolate the problem snipped] > > ... Beg to differ. 'ipfw fwd' still requires building a custom kernel with options IPFIREWALL_FORWARD last I heard. Julian's explained a few times that it's not compiled in by default for performance reasons, and can't be isolated to modules as it adds code in multiple parts of the stack. > It's a bug with the ipfw / natd startup scripts. > > See: > http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/148137 > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/148928 > http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/153155 > > The latter has a patch to fix the problem. It's a similar but not quite the same issue, albeit the same message. Quoting your conf/153155: : /etc/rc.d/ipfw fails to load the ipdivert module when natd is enabled. : : This causes the divert rules that /etc/rc.firewall adds in this case to : fail on system boot, with the following error message displayed during : ipfw rule load: : ipfw: getsockopt(IP_FW_ADD): Invalid argument : : Restarting ipfw works around the problem as /etc/rc.d/natd (which is run : _after_ ipfw is intialised) DOES load ipdivert. And requoting Dave's: : > KERNEL : > : > options IPFIREWALL : > options IPFIREWALL_VERBOSE : > options IPFIREWALL_VERBOSE_LIMIT=5 : > options IPFIREWALL_DEFAULT_TO_ACCEPT : > options IPDIVERT : > options DUMMYNET In this case ipfw was built into kernel, including IPDIVERT, so it's not a failure to load that module but lack of IPFIREWALL_FORWARD, I believe. Hopefully hrs@ is still looking into patches including yours and mine re /etc/rc.d script module loading order and natd vs kernel nat issues .. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110308001102.W68517>