Date: Wed, 11 Aug 2010 10:11:42 +0100 From: Alan Hicks <alan@p-o.co.uk> To: Eugene Grosbein <eugen@eg.sd.rdtc.ru> Cc: freebsd-stable@freebsd.org Subject: Re: NAT issue in 8.1 Message-ID: <4C62694E.60804@p-o.co.uk> In-Reply-To: <20100810175931.GB63364@rdtc.ru> References: <4C61712E.7030704@p-o.co.uk> <20100810175931.GB63364@rdtc.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks, works perfectly now, Alan On 08/10/10 18:59, Eugene Grosbein wrote: > On Tue, Aug 10, 2010 at 04:33:02PM +0100, Alan Hicks wrote: > >> Having upgraded to Release-8.1, there appears to be an issue with >> network address translation where a newly booted machine fails to setup >> nat with the error 'ipfw: getsockopt(IP_FW_ADD): Invalid argument' > > That's because your kernel (GENERIC?) does not have ipdivert support enabled. > That's not fatal, see later. > >> >> Box has two interfaces em0 and xl0 (Dell PowerEdge 1600SC) >> >> rc.conf >> ifconfig_xl0="inet 192.168.202.5 netmask 255.255.255.0" >> ifconfig_em0="inet 192.168.0.2 netmask 255.255.255.0" >> defaultrouter="192.168.0.1" >> firewall_enable="YES" >> firewall_type="open" >> firewall_logging="yes" >> natd_enable="YES" >> natd_interface="em0" >> >> Boot excerpt from console, typed as it does not make it to >> /var/log/messages so apologies for any typo's >> >> add net default: gateway 192.168.0.1 >> Additional routing options: IP gateway=YES >> Starting devd. >> ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based >> forwarding disabled, default to deny, logging disabled >> load_dn_sched dn_sched FIFO loaded >> load_dn_sched dn_sched QFQ loaded >> load_dn_sched dn_sched RR loaded >> load_dn_sched dn_sched WF2Q+ loaded >> load_dn_sched dn_sched PRIO loaded >> flushed all rules. >> 00100 allow ip from any to any via lo0 >> 00200 deny ip from any to 127.0.0.0/8 >> 00300 deny ip from 127.0.0.0/8 to any >> 00400 deny ip from any to ::1 >> 00500 deny ip from ::1 to any >> 00600 allow ipv6-icmp from :: to ff02::/16 >> 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 >> 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 >> 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 >> 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 >> ipfw: getsockopt(IP_FW_ADD): Invalid argument > > At this point, there is still no ipdivert support loaded. > >> 65000 allow ip from any to any >> Firewall rules loaded. >> Firewall logging enabled. >> Starting natd. > > At this point, kernel module ipdivert.ko is loaded. > >> Loading /lib/libalias_cuseeme.so >> Loading /lib/libalias_ftp.so >> Loading /lib/libalias_irc.so >> Loading /lib/libalias_nbt.so >> Loading /lib/libalias_pptp.so >> Loading /lib/libalias_skinny.so >> Loading /lib/libalias_smedia.so >> Aug 10 12:02:53 natd[869]: Aliasing to 192.168.0.2, mtu 1500 bytes >> >> Although all appears to be ok, machines on the xl0 192.168.202.0/24 >> subnet can't see the internet. Running /etc/rc.firewall manually fixes >> the issue. > > ipdivert.ko is loaded, hence re-loading firewall rules helps. > >> >> The machine was upgraded from 8.0 using unmodified cvs sources using >> buildkernel, buildworld, installworld, installkernel mergemaster. >> >> Any help appreciated. > > Just load ipdivert.ko earlies by means of loader.conf: > > echo 'ipdivert_load="YES"'>> /boot/loader.conf > > Alternatively, rebuild kernel with options IPFIREWALL and IPDIVERT > > Eugene Grosbein > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C62694E.60804>