From owner-freebsd-stable@FreeBSD.ORG Wed May 4 06:46:27 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8EAF1065670; Wed, 4 May 2011 06:46:27 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id B82528FC15; Wed, 4 May 2011 06:46:26 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id p446kNx4063838; Wed, 4 May 2011 16:46:23 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 4 May 2011 16:46:22 +1000 (EST) From: Ian Smith To: KIRIYAMA Kazuhiko In-Reply-To: <201105040140.p441eClM054591@pis.elm.toba-cmt.ac.jp> Message-ID: <20110504160556.Q85801@sola.nimnet.asn.au> References: <201105031543.p43Fh92T041708@pis.elm.toba-cmt.ac.jp> <20110504030404.O85801@sola.nimnet.asn.au> <201105040140.p441eClM054591@pis.elm.toba-cmt.ac.jp> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-stable@freebsd.org Subject: Re: /etc/rc.d/ipfw can't deal with firewall_type? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 May 2011 06:46:27 -0000 On Wed, 4 May 2011, KIRIYAMA Kazuhiko wrote: > At Wed, 4 May 2011 03:47:02 +1000 (EST), > Ian Smith wrote: > > > > On Wed, 4 May 2011, KIRIYAMA Kazuhiko wrote: > > > Hi all, > > > Recently I upgraded to 8.2-STABLE and reconfigured natd + jailed box, but > > > all packets could not over nat box. I've researched and found > > > /etc/rc.firewall does not recieve argument of firewall_type. So ipfw does > > > not divert and natd could not be performed. The reason is /etc/rc.d/ipfw > > > incorrect. I think an patch below should be applyed to /etc/rc.d/ipfw. Is > > > there any problem to do this? > > > > Yes. Assuming using the default firewall_script="/etc/rc.firewall", > > then as it says early in /etc/rc.firewall, you just needed to: > > > > # Define the firewall type in /etc/rc.conf. Valid values are: > > [..] It's just occured to me that - assuming you are NOT trying to start ipfw or natd inside a jail, which won't work - you may well be running into another problem related to some PRs/patches hrs@ (cc'd) is reviewing re startup order and loading of modules for ipfw and natd. You mentioned running an 'OPEN' firewall which (like any other type) will fail to load divert rule/s unless ipdivert.ko is already loaded or built into kernel. This can be solved meanwhile by either a) adding to /boot/loader.conf: ipdivert_load="YES" or b) by applying the following patch to /etc/rc.d/ipfw (on 7.x or 8.x) cheers, Ian --- rc.d_ipfw.1.24 Sat Jan 8 18:13:46 2011 +++ ipfw Sat Jan 8 21:00:18 2011 @@ -27,9 +27,9 @@ fi if checkyesno firewall_nat_enable; then - if ! checkyesno natd_enable; then - required_modules="$required_modules ipfw_nat" - fi + required_modules="$required_modules ipfw_nat" + elif checkyesno natd_enable; then + required_modules="$required_modules ipdivert" fi } @@ -105,6 +105,7 @@ } load_rc_config $name -firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}" +checkyesno natd_enable && ! checkyesno firewall_nat_enable && \ + firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}" run_rc_command $*