Date: Sat, 27 Oct 2012 21:30:01 GMT From: Chris Rees <utisoft@gmail.com> To: freebsd-rc@FreeBSD.org Subject: Re: conf/167566 Message-ID: <201210272130.q9RLU1C8085928@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR conf/167566; it has been noted by GNATS. From: Chris Rees <utisoft@gmail.com> To: bug-followup@freebsd.org Cc: Subject: Re: conf/167566 Date: Sat, 27 Oct 2012 22:29:03 +0100 > Which module do you refer in "...the module is loaded, ...", > ipfw_nat.ko or ipdivert.ko? > > In my understanding the problem occurs only when ipfw attempts to > load firewall rules including a "divert" directive and ipdivert.ko is > not loaded at that time. natd(8) also requires ipdivert.ko, but > rc.d/natd already has required_modules="ipdivert". > firewall_nat_enable is a knob for in-kernel NAT (this requires > ipfw_nat.ko), so more orthogonal way would be like the following > patch: > > http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121028-1.diff > > It is still unclear to me what is harmful with "checkyesno > natd_enable" here. Can you elaborate it a little more? Check rcorder: [crees@pegasus]~% rcorder /etc/rc.d/* | grep -E 'natd|ipfw' /etc/rc.d/ipfw /etc/rc.d/natd That means that natd doesn't run until after ipfw. This means that on boot, when ipfw runs, neither ipfw_nat nor ipdivert are installed, *regardless of the state of natd_enable*. Therefore, checkyesno natd_enable does not guarantee that either ipfw_nat or ipdivert is loaded *at the time rc.d/ipfw is run*. Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201210272130.q9RLU1C8085928>