From owner-freebsd-rc@FreeBSD.ORG Sat Oct 27 21:48:43 2012 Return-Path: Delivered-To: freebsd-rc@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 163A661C; Sat, 27 Oct 2012 21:48:43 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from mail.allbsd.org (gatekeeper.allbsd.org [IPv6:2001:2f0:104:e001::32]) by mx1.freebsd.org (Postfix) with ESMTP id 1A55A8FC12; Sat, 27 Oct 2012 21:48:41 +0000 (UTC) Received: from alph.allbsd.org (p1137-ipbf1505funabasi.chiba.ocn.ne.jp [118.7.212.137]) (authenticated bits=128) by mail.allbsd.org (8.14.5/8.14.5) with ESMTP id q9RLmQ61009212 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 28 Oct 2012 06:48:36 +0900 (JST) (envelope-from hrs@FreeBSD.org) Received: from localhost (localhost [127.0.0.1]) (authenticated bits=0) by alph.allbsd.org (8.14.5/8.14.5) with ESMTP id q9RLmOO9054102; Sun, 28 Oct 2012 06:48:25 +0900 (JST) (envelope-from hrs@FreeBSD.org) Date: Sun, 28 Oct 2012 06:47:01 +0900 (JST) Message-Id: <20121028.064701.1576140355872879819.hrs@allbsd.org> To: utisoft@gmail.com, bug-followup@FreeBSD.org Subject: Re: conf/167566 From: Hiroki Sato In-Reply-To: <201210272130.q9RLU1C8085928@freefall.freebsd.org> References: <201210272130.q9RLU1C8085928@freefall.freebsd.org> X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D X-Mailer: Mew version 6.5 on Emacs 23.4 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart(Sun_Oct_28_06_47_01_2012_365)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.4 at gatekeeper.allbsd.org X-Virus-Status: Clean X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (mail.allbsd.org [133.31.130.32]); Sun, 28 Oct 2012 06:48:36 +0900 (JST) X-Spam-Status: No, score=-98.1 required=13.0 tests=CONTENT_TYPE_PRESENT, ONLY1HOPDIRECT,SAMEHELOBY2HOP,USER_IN_WHITELIST autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on gatekeeper.allbsd.org Cc: freebsd-rc@FreeBSD.org X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Oct 2012 21:48:43 -0000 ----Security_Multipart(Sun_Oct_28_06_47_01_2012_365)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Chris Rees wrote in <201210272130.q9RLU1C8085928@freefall.freebsd.org>: ut> The following reply was made to PR conf/167566; it has been noted by GNATS. ut> ut> From: Chris Rees ut> To: bug-followup@freebsd.org ut> Cc: ut> Subject: Re: conf/167566 ut> Date: Sat, 27 Oct 2012 22:29:03 +0100 ut> ut> > Which module do you refer in "...the module is loaded, ...", ut> > ipfw_nat.ko or ipdivert.ko? ut> > ut> > In my understanding the problem occurs only when ipfw attempts to ut> > load firewall rules including a "divert" directive and ipdivert.ko is ut> > not loaded at that time. natd(8) also requires ipdivert.ko, but ut> > rc.d/natd already has required_modules="ipdivert". ut> > firewall_nat_enable is a knob for in-kernel NAT (this requires ut> > ipfw_nat.ko), so more orthogonal way would be like the following ut> > patch: ut> > ut> > http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121028-1.diff ut> > ut> > It is still unclear to me what is harmful with "checkyesno ut> > natd_enable" here. Can you elaborate it a little more? ut> ut> Check rcorder: ut> ut> [crees@pegasus]~% rcorder /etc/rc.d/* | grep -E 'natd|ipfw' ut> /etc/rc.d/ipfw ut> /etc/rc.d/natd ut> ut> That means that natd doesn't run until after ipfw. This means that on ut> boot, when ipfw runs, neither ipfw_nat nor ipdivert are installed, ut> *regardless of the state of natd_enable*. The rc.d/ipfw script has $required_modules and the modules listed there are installed before ipfw(8) runs. It has nothing to do with rc.d/natd and its order even if it uses "checkyesno natd_enable". Why do you think these modules are not loaded when rc.d/ipfw runs? ut> Therefore, checkyesno natd_enable does not guarantee that either ut> ipfw_nat or ipdivert is loaded *at the time rc.d/ipfw is run*. -- Hiroki ----Security_Multipart(Sun_Oct_28_06_47_01_2012_365)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iEYEABECAAYFAlCMVlUACgkQTyzT2CeTzy3IVACeN4UjO9Ad6fa3CNDSTuPqdkmc U2YAnjymgAqHiHxR5M8/a0V8eSyRtsDM =Sh/O -----END PGP SIGNATURE----- ----Security_Multipart(Sun_Oct_28_06_47_01_2012_365)----