From owner-freebsd-net@FreeBSD.ORG Sun Apr 17 06:01:25 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 65783106566C; Sun, 17 Apr 2011 06:01:25 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 0CBFD8FC0A; Sun, 17 Apr 2011 06:01:24 +0000 (UTC) Received: by iwn33 with SMTP id 33so4124900iwn.13 for ; Sat, 16 Apr 2011 23:01:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to:x-openpgp-key-id:x-openpgp-key-fingerprint :x-openpgp-key-url; bh=mUtUBjIAaFTT1zo/Q4sikKLIAiOIyNPY79aMCLKgTAw=; b=BksIdGS6SezgPiMie4QaUmpvge9bJIcYRbNYa9OdJbui+yaPaQjSuevBkkFxHwNjZY 3C1TXWZ42FZYAf98kuCfjEmSWJBReqBhqBdDrNtmj2QerXjbwvCqRfUWoyVYApV3Hy4+ ZDu8zRf1XcNZMh2UnDNRJo06OCpMooN0fxNt0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:x-openpgp-key-id :x-openpgp-key-fingerprint:x-openpgp-key-url; b=gpUH8T7BC5HS4xXUjIuGHW03c8xoBZKmZWsLZ1ZA6t6cOPkc5/z7X3LDarDvkDjc2T ACx/HTjcNnkS3hrR95Ty2o04vgWqk0DNxu30goNyBoJ2COzctt6X0TQvaqnME2A8NWQW khubJPZjzhQaMldyAp2JIb0crhmqqZH2soD7Q= Received: by 10.42.208.67 with SMTP id gb3mr4734911icb.423.1303020084362; Sat, 16 Apr 2011 23:01:24 -0700 (PDT) Received: from DataIX.net (adsl-99-19-43-8.dsl.klmzmi.sbcglobal.net [99.19.43.8]) by mx.google.com with ESMTPS id vw9sm2164474icb.11.2011.04.16.23.01.21 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 16 Apr 2011 23:01:22 -0700 (PDT) Sender: "J. Hellenthal" Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.4/8.14.4) with ESMTP id p3H61IR1021499 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 17 Apr 2011 02:01:19 -0400 (EDT) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.4/8.14.4/Submit) id p3H61H7q021498; Sun, 17 Apr 2011 02:01:17 -0400 (EDT) (envelope-from jhell@DataIX.net) Date: Sun, 17 Apr 2011 02:01:17 -0400 From: "J. Hellenthal" To: Ian Smith Message-ID: <20110417060117.GA20390@DataIX.net> References: <349334508.1236453.1302976895873.JavaMail.root@sz0128a.westchester.pa.mail.comcast.net> <20110417150456.J35056@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf" Content-Disposition: inline In-Reply-To: <20110417150456.J35056@sola.nimnet.asn.au> X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E X-OpenPGP-Key-URL: http://bit.ly/0x89D8547E Cc: freebsd-net@freebsd.org, hrs@freebsd.org, rondzierwa@comcast.net Subject: Re: natd starting after firewall rules are loaded X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Apr 2011 06:01:25 -0000 --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 17, 2011 at 03:36:40PM +1000, Ian Smith wrote: >On Sat, 16 Apr 2011, rondzierwa@comcast.net wrote: > > > After the firewall rules are loaded, the rc script then loads natd,=20 > > Once the system is up, i can ipfw list and the divert command is,=20 > > in fact, not there, but by this time natd is running. If I run the rc.f= irewall=20 > > script interactively, it completes successfully and the divert rule=20 > > is in the list, and everyone is happy again.=20 > >There are several outstanding PRs about this and related issues; copying= =20 >hrs@ who grabbed these PRs a while ago. The quick fix is to add > >ipdivert_load=3D"YES" > >to /boot/loader.conf so it's there before ipfw & natd start. You still=20 >need ipfw_enable=3DYES and natd_enable=3DYES in /etc/rc.conf > > > In 4.9 there used to be a rc.network script that started natd before=20 > > it loaded the firewall rules. I do not see it in 8.2 anymore, instead= =20 > > it looks like rc simply runs the scripts in rc.d alphabetically, so nat= d=20 > > comes after ipfw.=20 > >Not alphabetically but according to rcorder(8). /etc/rc.d/natd has=20 >keyword NOSTART and is now only run when /etc/rc.d/ipfw invokes it, but=20 >as you've seen, ipfw's attempt to install divert rule(s) fails for want=20 >of ipdivert.ko - which /etc/rc.d/natd does load, but too late. > > > I can't believe i'm the only one using ipfw and natd with 8.2, so it=20 > > seems to me that i just don't know the secret handshake that will=20 > > make it work.=20 > >In 4.x you had to build ipfw into kernel; lots of changes since :) > >cheers, Ian Add the following to change the order of the scripts in which they run. /etc/rc.d/natd: # BEFORE: ipfw /etc/rc.d/ipfw: # AFTER: natd And that will change the order in which the scripts execute. whether this has any implications on other running daemons you will have to check but as far as the rcorder(8) goes that will put ipfw executing just after natd. rcorder /etc/rc.d/* [...] /etc/rc.d/routed /etc/rc.d/defaultroute /etc/rc.d/natd /etc/rc.d/ipfw /etc/rc.d/netoptions /etc/rc.d/NETWORKING [...] PS: For those with commit bits... $ rcorder /etc/rc.d/ipfw rcorder: requirement `ppp' in file `/etc/rc.d/ipfw' has no providers. /etc/rc.d/ipfw Dont know why because, $ grep -n ppp /etc/rc.d/* | grep PROVIDE /etc/rc.d/ppp:6:# PROVIDE: ppp There are a few other scripts in there that generate other similiar errors but this one seem sketchy to me. --=20 Regards, J. Hellenthal WWJD --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://bit.ly/0x89D8547E iQEcBAEBAgAGBQJNqoIsAAoJEJBXh4mJ2FR+8HYH/0kqzhwgBubXVbsTnF2sgcq1 cn9raBjo1+RI/KyNd1H+HitfC+Di7tXGIDvXf+fkJ5eGl/NfZaya4+C93b0TMUHn SS1QSRShNraH/sWtNasZa7qvW94ePDYBZWSM3DTcY9GK/17oywBQ10OS8NDNF9aJ sTbL+Xz+vgMjBaZ2RMMuYMUTczWrbSjbIuB32v4K+THOeqeuzSzIc5ra5bgSp6Sp 2hzj7FB1ptVT0lSjEZEPmy6fLkXGW4YGrLr6vdG86FkXn7OC8s6FAmtcwU79Nyjq nM0+p7eCgM/2x/WOuk/6UzlLte/EjP5xvJGKXZHpcBZLwuirRSZA3ydDI9RhOOw= =nzsn -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf--