Date: Mon, 18 Apr 2011 02:53:43 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: "J. Hellenthal" <jhell@DataIX.net> Cc: freebsd-net@freebsd.org, hrs@freebsd.org, rondzierwa@comcast.net Subject: Re: natd starting after firewall rules are loaded Message-ID: <20110418010850.Q35056@sola.nimnet.asn.au> In-Reply-To: <20110417060117.GA20390@DataIX.net> References: <349334508.1236453.1302976895873.JavaMail.root@sz0128a.westchester.pa.mail.comcast.net> <20110417150456.J35056@sola.nimnet.asn.au> <20110417060117.GA20390@DataIX.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 17 Apr 2011, J. Hellenthal wrote: > On Sun, Apr 17, 2011 at 03:36:40PM +1000, Ian Smith wrote: > >On Sat, 16 Apr 2011, rondzierwa@comcast.net wrote: > > > > > After the firewall rules are loaded, the rc script then loads natd, > > > Once the system is up, i can ipfw list and the divert command is, > > > in fact, not there, but by this time natd is running. If I run the rc.firewall > > > script interactively, it completes successfully and the divert rule > > > is in the list, and everyone is happy again. > > > >There are several outstanding PRs about this and related issues; copying > >hrs@ who grabbed these PRs a while ago. The quick fix is to add > > > >ipdivert_load="YES" > > > >to /boot/loader.conf so it's there before ipfw & natd start. You still > >need ipfw_enable=YES and natd_enable=YES in /etc/rc.conf > > > > > In 4.9 there used to be a rc.network script that started natd before > > > it loaded the firewall rules. I do not see it in 8.2 anymore, instead > > > it looks like rc simply runs the scripts in rc.d alphabetically, so natd > > > comes after ipfw. > > > >Not alphabetically but according to rcorder(8). /etc/rc.d/natd has > >keyword NOSTART and is now only run when /etc/rc.d/ipfw invokes it, but Sorry, it has 'KEYWORD: nostart nojail', so /etc/rc.d/natd is not run by rc on system (or jail) startup, enabled or not. > >as you've seen, ipfw's attempt to install divert rule(s) fails for want > >of ipdivert.ko - which /etc/rc.d/natd does load, but too late. [..] > Add the following to change the order of the scripts in which they run. > > /etc/rc.d/natd: > # BEFORE: ipfw > > /etc/rc.d/ipfw: > # AFTER: natd > > And that will change the order in which the scripts execute. whether > this has any implications on other running daemons you will have to > check but as far as the rcorder(8) goes that will put ipfw executing > just after natd. A solution for many ordering problems, but not this one. It's been an ongoing tug'o'war for years, but recent consensus starts and stops natd from /etc/rc.d/ipfw, loading ipfw rules before starting natd and other 'firewall_coscripts', only then enabling the firewall; vice versa on stopping and so, restarting. For this bug, ipfw just lacks requiring module ipdivert when natd is enabled (and firewall_nat is not enabled, but that's another issue :) > rcorder /etc/rc.d/* > [...] > /etc/rc.d/routed > /etc/rc.d/defaultroute > /etc/rc.d/natd > /etc/rc.d/ipfw > /etc/rc.d/netoptions > /etc/rc.d/NETWORKING > [...] natd won't run on startup; ipfw will still run natd after ipfw rules are loaded but still needs ipdivert.ko loaded before loading divert rules :) > PS: For those with commit bits... > $ rcorder /etc/rc.d/ipfw > rcorder: requirement `ppp' in file `/etc/rc.d/ipfw' has no providers. > /etc/rc.d/ipfw > > Dont know why because, > $ grep -n ppp /etc/rc.d/* | grep PROVIDE > /etc/rc.d/ppp:6:# PROVIDE: ppp !rcorder /etc/rc.d/ipfw /etc/rc.d/ppp rcorder: requirement `netif' in file `/etc/rc.d/ppp' has no providers. /etc/rc.d/ppp /etc/rc.d/ipfw and so on .. rcorder only considers files provided as arguments. Ron: 4.6 to 8.2 is quite a jump, maybe time to rescan the ol' Handbook? % find /sys/ -name NOTES /sys/conf/NOTES /sys/amd64/conf/NOTES /sys/i386/conf/NOTES [..] cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110418010850.Q35056>