Date: Sat, 31 Jan 2004 14:46:57 -0800 (PST) From: kosmos <kosmos@kosmos.my.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/62193: firewall klm fails to parse divert keyword properly Message-ID: <200401312246.i0VMkv5e000350@kosmos.my.net> Resent-Message-ID: <200401312250.i0VMoMGr091392@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 62193
>Category: kern
>Synopsis: firewall klm fails to parse divert keyword properly
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Jan 31 14:50:22 PST 2004
>Closed-Date:
>Last-Modified:
>Originator: abowhill
>Release: FreeBSD 4.9-STABLE i386
>Organization:
NA
>Environment:
System: FreeBSD kosmos.my.net 4.9-STABLE FreeBSD 4.9-STABLE #1: Sat Jan 31 13:49:20 PST 2004 root@kosmos.my.net:/usr/obj/usr/src/sys/KOSMOS i386
>Description:
When a default GENERIC 4.9-STABLE system is configured for natd and OPEN firewall type, when system boots and tries to add an ipfw rule using the divert keyword, it fails:
Jan 31 13:27:01 kosmos /kernel: IP packet filtering initialized, divert disabled, rule-based forwarding enabled, default to d$
Jan 31 13:27:01 kosmos /kernel: ip_fw_ctl: invalid command
In /etc/rc.firewall (Network Address Translation Section, near line 110) the following line triggers the error:
${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
This error only happens when using the firewall klm, as when the sytem is built with a default GENERIC kernel.
If the kernel is rebuilt with firewall options enabled:
options IPFIREWALL
options IPDIVERT
the divert command in /etc/rc.firewall works fine, becuase the klm is not loaded
>How-To-Repeat:
1.) Obtain latest 4.9-STABLE source tree (probably post Jan. 26th)
2.) Modify /etc/rc.conf to set system up for nat forwarding
natd_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
3.) Build and install a system using GENERIC kernel configuration to force firewall klm to load
4.) Reboot, noting "Invalid command" error message on screen and in /var/log/messages
5.) rebuild kernel with options
options IPFIREWALL
options IPDIVERT
6.) reboot system, noting that firewall divert command works correctly
>Fix:
Workaround: build kernel with IPFIREWALL and IPDIVERT options, circumventing the firewall kernel loadable module.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200401312246.i0VMkv5e000350>