From owner-freebsd-stable@FreeBSD.ORG Wed Aug 11 09:30:51 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E8DA2106567B for ; Wed, 11 Aug 2010 09:30:50 +0000 (UTC) (envelope-from alan@p-o.co.uk) Received: from ligeti.p-o.co.uk (ligeti.p-o.co.uk [80.254.233.132]) by mx1.freebsd.org (Postfix) with ESMTP id 5FF768FC0A for ; Wed, 11 Aug 2010 09:30:50 +0000 (UTC) Received: from alanhicks.plus.com ([80.229.143.200] helo=schnittke.po.co.uk) by p-o.co.uk with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.72 (FreeBSD)) (envelope-from ) id 1Oj7Ln-000A0k-DM; Wed, 11 Aug 2010 10:12:21 +0100 Message-ID: <4C62694E.60804@p-o.co.uk> Date: Wed, 11 Aug 2010 10:11:42 +0100 From: Alan Hicks User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.11) Gecko/20100803 Thunderbird/3.0.6 MIME-Version: 1.0 To: Eugene Grosbein References: <4C61712E.7030704@p-o.co.uk> <20100810175931.GB63364@rdtc.ru> In-Reply-To: <20100810175931.GB63364@rdtc.ru> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -2.9 (--) Cc: freebsd-stable@freebsd.org Subject: Re: NAT issue in 8.1 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2010 09:30:51 -0000 Thanks, works perfectly now, Alan On 08/10/10 18:59, Eugene Grosbein wrote: > On Tue, Aug 10, 2010 at 04:33:02PM +0100, Alan Hicks wrote: > >> Having upgraded to Release-8.1, there appears to be an issue with >> network address translation where a newly booted machine fails to setup >> nat with the error 'ipfw: getsockopt(IP_FW_ADD): Invalid argument' > > That's because your kernel (GENERIC?) does not have ipdivert support enabled. > That's not fatal, see later. > >> >> Box has two interfaces em0 and xl0 (Dell PowerEdge 1600SC) >> >> rc.conf >> ifconfig_xl0="inet 192.168.202.5 netmask 255.255.255.0" >> ifconfig_em0="inet 192.168.0.2 netmask 255.255.255.0" >> defaultrouter="192.168.0.1" >> firewall_enable="YES" >> firewall_type="open" >> firewall_logging="yes" >> natd_enable="YES" >> natd_interface="em0" >> >> Boot excerpt from console, typed as it does not make it to >> /var/log/messages so apologies for any typo's >> >> add net default: gateway 192.168.0.1 >> Additional routing options: IP gateway=YES >> Starting devd. >> ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based >> forwarding disabled, default to deny, logging disabled >> load_dn_sched dn_sched FIFO loaded >> load_dn_sched dn_sched QFQ loaded >> load_dn_sched dn_sched RR loaded >> load_dn_sched dn_sched WF2Q+ loaded >> load_dn_sched dn_sched PRIO loaded >> flushed all rules. >> 00100 allow ip from any to any via lo0 >> 00200 deny ip from any to 127.0.0.0/8 >> 00300 deny ip from 127.0.0.0/8 to any >> 00400 deny ip from any to ::1 >> 00500 deny ip from ::1 to any >> 00600 allow ipv6-icmp from :: to ff02::/16 >> 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 >> 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 >> 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 >> 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 >> ipfw: getsockopt(IP_FW_ADD): Invalid argument > > At this point, there is still no ipdivert support loaded. > >> 65000 allow ip from any to any >> Firewall rules loaded. >> Firewall logging enabled. >> Starting natd. > > At this point, kernel module ipdivert.ko is loaded. > >> Loading /lib/libalias_cuseeme.so >> Loading /lib/libalias_ftp.so >> Loading /lib/libalias_irc.so >> Loading /lib/libalias_nbt.so >> Loading /lib/libalias_pptp.so >> Loading /lib/libalias_skinny.so >> Loading /lib/libalias_smedia.so >> Aug 10 12:02:53 natd[869]: Aliasing to 192.168.0.2, mtu 1500 bytes >> >> Although all appears to be ok, machines on the xl0 192.168.202.0/24 >> subnet can't see the internet. Running /etc/rc.firewall manually fixes >> the issue. > > ipdivert.ko is loaded, hence re-loading firewall rules helps. > >> >> The machine was upgraded from 8.0 using unmodified cvs sources using >> buildkernel, buildworld, installworld, installkernel mergemaster. >> >> Any help appreciated. > > Just load ipdivert.ko earlies by means of loader.conf: > > echo 'ipdivert_load="YES"'>> /boot/loader.conf > > Alternatively, rebuild kernel with options IPFIREWALL and IPDIVERT > > Eugene Grosbein > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >