From owner-freebsd-stable@FreeBSD.ORG Tue May 3 17:47:05 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DEADD106564A for ; Tue, 3 May 2011 17:47:05 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 5A2C88FC22 for ; Tue, 3 May 2011 17:47:05 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id p43Hl2BA022312; Wed, 4 May 2011 03:47:03 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 4 May 2011 03:47:02 +1000 (EST) From: Ian Smith To: KIRIYAMA Kazuhiko In-Reply-To: <201105031543.p43Fh92T041708@pis.elm.toba-cmt.ac.jp> Message-ID: <20110504030404.O85801@sola.nimnet.asn.au> References: <201105031543.p43Fh92T041708@pis.elm.toba-cmt.ac.jp> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-stable@freebsd.org Subject: Re: /etc/rc.d/ipfw can't deal with firewall_type? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 May 2011 17:47:05 -0000 On Wed, 4 May 2011, KIRIYAMA Kazuhiko wrote: > Hi all, > Recently I upgraded to 8.2-STABLE and reconfigured natd + jailed box, but > all packets could not over nat box. I've researched and found > /etc/rc.firewall does not recieve argument of firewall_type. So ipfw does > not divert and natd could not be performed. The reason is /etc/rc.d/ipfw > incorrect. I think an patch below should be applyed to /etc/rc.d/ipfw. Is > there any problem to do this? Yes. Assuming using the default firewall_script="/etc/rc.firewall", then as it says early in /etc/rc.firewall, you just needed to: # Define the firewall type in /etc/rc.conf. Valid values are: [..] Sure, /etc/rc.firewall can set firewall_type to a parameter if you pass it one, but otherwise uses whatever $firewall_type is set to when you start ipfw. I guess the code below allows you to use syntax like: # /etc/rc.d/ipfw start client to override the $firewall_type set in /etc/rc.conf, but it's not the common usage, nor is it how ipfw is started normally by rc. So just set firewall_type in rc.conf and you should be fine .. unless you meant that you're trying to run ipfw & natd INSIDE a jail? cheers, Ian > --- /etc/rc.d/ipfw.org 2011-05-03 18:19:28.000000000 +0900 > +++ /etc/rc.d/ipfw 2011-05-03 22:08:14.000000000 +0900 > @@ -35,15 +35,11 @@ > > ipfw_start() > { > - local _firewall_type > - > - _firewall_type=$1 > - > # set the firewall rules script if none was specified > [ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall > > if [ -r "${firewall_script}" ]; then > - /bin/sh "${firewall_script}" "${_firewall_type}" > + /bin/sh "${firewall_script}" "${firewall_type}" > echo 'Firewall rules loaded.' > elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then > echo 'Warning: kernel has firewall functionality, but' \