From owner-freebsd-ipfw@FreeBSD.ORG  Mon Feb  2 18:20:10 2015
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 6D8614A4
 for <freebsd-ipfw@freebsd.org>; Mon,  2 Feb 2015 18:20:10 +0000 (UTC)
Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru
 [46.4.40.135]) by mx1.freebsd.org (Postfix) with ESMTP id 2DF62CEB
 for <freebsd-ipfw@freebsd.org>; Mon,  2 Feb 2015 18:20:10 +0000 (UTC)
Received: from [127.0.0.1] (nat.in.devexperts.com [89.113.128.63])
 (Authenticated sender: lev@serebryakov.spb.ru)
 by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 61CB25C002
 for <freebsd-ipfw@freebsd.org>; Mon,  2 Feb 2015 21:19:39 +0300 (MSK)
Message-ID: <54CFBFB9.9040801@FreeBSD.org>
Date: Mon, 02 Feb 2015 21:19:37 +0300
From: Lev Serebryakov <lev@FreeBSD.org>
Reply-To: lev@FreeBSD.org
Organization: FreeBSD
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: freebsd-ipfw@freebsd.org
Subject: Re: How to configure nat for interface which will be created later?
References: <54CFBDF7.30301@FreeBSD.org>
In-Reply-To: <54CFBDF7.30301@FreeBSD.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Feb 2015 18:20:10 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 02.02.2015 21:12, Lev Serebryakov wrote:

> It is possible to use non-existing interface name in via / xmit / 
> recv option. It allows to write firewall which works with, say,
> VPN connection which is created AFTER firewall is loaded on boot.
> 
> But "nat X config if <iface>" doesn't allow to use non-existing 
> interface name! It looks like very strict limitation, as it
> doesn't allow to include VPN to nat config!
> 
> Is here any solution for this problem?
 Looking at "sbin/ipfw/nat.c:166" and "sys/netpfil/ipfw/ip_fw_nat.c",
it looks like this userland check is too restrictive.

 But I'm not sure, that I'm right...

- -- 
// Lev Serebryakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQJ8BAEBCgBmBQJUz7+5XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePL6kP/2CFIvPrqGhYISH1z420qAoK
r5oE5SwlFcwARQONqUuizTsmlqt4UIP8xWGxb7YWzQgkbXVlht1zgBvby3xVzlJo
zoXfSsz9CN3GJShBkuCcXG0pHh1UpFrFYR1RN8uLHvsm6i+Hq5nZuaBSio+eaD1+
x/TmLdz+zVmQGO6GWscnN21A0bRP49Q4KJKZlkklAhZ0xVU9QQ77Mc3vCMOk0dGA
ObAeFu8fWqQHVGCeQppxJkLynWrhnHyyTeJvEvewGC+aWCu9H4xxa5oTEKFytQWc
ImQcfzkqgnk5U1gPsND89RXp8gxqWzV9TbRXF7cV2hHFbs4inJAUw+n2ammM4iFR
xg2BJlSxcaCx2xYtERqSRT6MRFR1zI1q/hEOW6puyJ611ILQ+TQRp5zrhnY1RkSe
qtVrpgtchJsFK1759PreVqd6dAbmfjhnklgdoL6J6r+LjNpEOI+2t0O+4sudG0M3
T1unH0K8IcdRg67LYJW371pUn5V4qIhnur8YXuXp24vuHvDZQmhZRdRDrpfESl+s
f97H06jGA9FIRS05o0PMIGUtpI48S7XjoaobOcb1CjVTfyItWMjAvK7TkpF1zmxD
z8AOdpHDZezf/TVDGKNxBLrQzK9hMOoUz9PKQA7JkbfDHmT6/zwDTBYnNjSW+VuS
ExLECR6f/seC3nEW6tek
=Vyhu
-----END PGP SIGNATURE-----