From owner-freebsd-stable@FreeBSD.ORG  Wed May  4 01:40:15 2011
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 175DF1065794
	for <freebsd-stable@freebsd.org>; Wed,  4 May 2011 01:40:15 +0000 (UTC)
	(envelope-from kiri@pis.elm.toba-cmt.ac.jp)
Received: from pis.elm.toba-cmt.ac.jp (pis.elm.toba-cmt.ac.jp [202.26.248.196])
	by mx1.freebsd.org (Postfix) with ESMTP id CBCFB8FC20
	for <freebsd-stable@freebsd.org>; Wed,  4 May 2011 01:40:14 +0000 (UTC)
Received: from kiri.pis.pis.elm.toba-cmt.ac.jp (localhost [127.0.0.1])
	by pis.elm.toba-cmt.ac.jp (8.14.3/8.14.2) with ESMTP id p441eClM054591; 
	Wed, 4 May 2011 10:40:13 +0900 (JST)
	(envelope-from kiri@pis.elm.toba-cmt.ac.jp)
Message-Id: <201105040140.p441eClM054591@pis.elm.toba-cmt.ac.jp>
Date: Wed, 04 May 2011 10:40:12 +0900
From: KIRIYAMA Kazuhiko <kiri@pis.elm.toba-cmt.ac.jp>
To: Ian Smith <smithi@nimnet.asn.au>
In-Reply-To: <20110504030404.O85801@sola.nimnet.asn.au>
References: <BANLkTik8cAOt1iAP1tOu0EVrRL07uHA8Ng@mail.gmail.com>
	<201105031543.p43Fh92T041708@pis.elm.toba-cmt.ac.jp>
	<20110504030404.O85801@sola.nimnet.asn.au>
User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.8
	(=?ISO-8859-4?Q?Shij=F2?=) APEL/10.6 MULE XEmacs/21.4 (patch 21)
	(Educational Television) (i386--freebsd)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Cc: KIRIYAMA Kazuhiko <kiri@pis.elm.toba-cmt.ac.jp>, freebsd-stable@freebsd.org
Subject: Re: /etc/rc.d/ipfw can't deal with firewall_type?
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 May 2011 01:40:15 -0000

At Wed, 4 May 2011 03:47:02 +1000 (EST),
Ian Smith wrote:
> 
> On Wed, 4 May 2011, KIRIYAMA Kazuhiko wrote:
>  > Hi all,
>  > Recently I upgraded to 8.2-STABLE and reconfigured natd + jailed box, but
>  > all packets could not over nat box. I've researched and found
>  > /etc/rc.firewall does not recieve argument of firewall_type. So ipfw does
>  > not divert and natd could not be performed. The reason is /etc/rc.d/ipfw
>  > incorrect. I think an patch below should be applyed to /etc/rc.d/ipfw. Is
>  > there any problem to do this?
> 
> Yes.  Assuming using the default firewall_script="/etc/rc.firewall", 
> then as it says early in /etc/rc.firewall, you just needed to:
> 
> 	# Define the firewall type in /etc/rc.conf.  Valid values are:
> 	[..]
> 
> Sure, /etc/rc.firewall can set firewall_type to a parameter if you pass 
> it one, but otherwise uses whatever $firewall_type is set to when you 
> start ipfw.  I guess the code below allows you to use syntax like:
> 
>  # /etc/rc.d/ipfw start client

I missed it intended to use in commandline but usually /etc/rc.d/* script
uses at startup rc. If /etc/rc.d/ipfw must be 2 arguments,firewall_type
always undefined at startup nevertheless it specified in /etc/rc.conf. It
is the very serious problem isn't it?

> to override the $firewall_type set in /etc/rc.conf, but it's not the 
> common usage, nor is it how ipfw is started normally by rc.
> 
> So just set firewall_type in rc.conf and you should be fine .. unless 
> you meant that you're trying to run ipfw & natd INSIDE a jail?

The network being configure is as follows:
                                           xxxx.xxxx.xxxx.xxxx/27
-------------------------+----------------------------------------
                         |53
  +----------------------+---------------------------------------+
  |                    bge0                     jailed natd box  |
  |                t2.st.foo                     (ipfw `OPEN')   |
  |        +--------+--------+--------+--------+--------+--------+
  |firewall|   ns   |  ldap  |diskless|  mail  |  web   |  ftp   |
  |  bge1  |  bge1  |  bge1  |  bge1  |  bge1  |  bge1  |  bge1  |
  +----+---+----+---+----+---+----+---+----+---+----+---+----+---+
    254|       1|       2|       3|       4|       5|       6|
-------+--------+--------+--------+--------+--------+--------+----
                                                   192.168.2.0/24
> cheers, Ian
> 
>  > --- /etc/rc.d/ipfw.org	2011-05-03 18:19:28.000000000 +0900
>  > +++ /etc/rc.d/ipfw	2011-05-03 22:08:14.000000000 +0900
>  > @@ -35,15 +35,11 @@
>  >  
>  >  ipfw_start()
>  >  {
>  > -	local   _firewall_type
>  > -
>  > -	_firewall_type=$1
>  > -
>  >  	# set the firewall rules script if none was specified
>  >  	[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall
>  >  
>  >  	if [ -r "${firewall_script}" ]; then
>  > -		/bin/sh "${firewall_script}" "${_firewall_type}"
>  > +		/bin/sh "${firewall_script}" "${firewall_type}"
>  >  		echo 'Firewall rules loaded.'
>  >  	elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
>  >  		echo 'Warning: kernel has firewall functionality, but' \

For the case of commandline usage, above patch should be modified as
follows:

--- /etc/rc.d/ipfw.org	2011-05-03 18:19:28.000000000 +0900
+++ /etc/rc.d/ipfw	2011-05-04 09:31:09.000000000 +0900
@@ -37,7 +37,11 @@
 {
 	local   _firewall_type
 
-	_firewall_type=$1
+	if [ -n "${1}" ]; then
+		_firewall_type=$1
+	elif [ -n "${firewall_type}" ]
+		_firewall_type=${firewall_type}
+	fi	
 
 	# set the firewall rules script if none was specified
 	[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall