From owner-freebsd-rc@FreeBSD.ORG  Sat Oct 27 21:48:43 2012
Return-Path: <owner-freebsd-rc@FreeBSD.ORG>
Delivered-To: freebsd-rc@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 163A661C;
 Sat, 27 Oct 2012 21:48:43 +0000 (UTC) (envelope-from hrs@FreeBSD.org)
Received: from mail.allbsd.org (gatekeeper.allbsd.org
 [IPv6:2001:2f0:104:e001::32])
 by mx1.freebsd.org (Postfix) with ESMTP id 1A55A8FC12;
 Sat, 27 Oct 2012 21:48:41 +0000 (UTC)
Received: from alph.allbsd.org (p1137-ipbf1505funabasi.chiba.ocn.ne.jp
 [118.7.212.137]) (authenticated bits=128)
 by mail.allbsd.org (8.14.5/8.14.5) with ESMTP id q9RLmQ61009212
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Sun, 28 Oct 2012 06:48:36 +0900 (JST) (envelope-from hrs@FreeBSD.org)
Received: from localhost (localhost [127.0.0.1]) (authenticated bits=0)
 by alph.allbsd.org (8.14.5/8.14.5) with ESMTP id q9RLmOO9054102;
 Sun, 28 Oct 2012 06:48:25 +0900 (JST) (envelope-from hrs@FreeBSD.org)
Date: Sun, 28 Oct 2012 06:47:01 +0900 (JST)
Message-Id: <20121028.064701.1576140355872879819.hrs@allbsd.org>
To: utisoft@gmail.com, bug-followup@FreeBSD.org
Subject: Re: conf/167566
From: Hiroki Sato <hrs@FreeBSD.org>
In-Reply-To: <201210272130.q9RLU1C8085928@freefall.freebsd.org>
References: <201210272130.q9RLU1C8085928@freefall.freebsd.org>
X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530  FFD7 4F2C D3D8 2793 CF2D
X-Mailer: Mew version 6.5 on Emacs 23.4 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Multipart/Signed; protocol="application/pgp-signature";
 micalg=pgp-sha1;
 boundary="--Security_Multipart(Sun_Oct_28_06_47_01_2012_365)--"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.97.4 at gatekeeper.allbsd.org
X-Virus-Status: Clean
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7
 (mail.allbsd.org [133.31.130.32]); Sun, 28 Oct 2012 06:48:36 +0900 (JST)
X-Spam-Status: No, score=-98.1 required=13.0 tests=CONTENT_TYPE_PRESENT,
 ONLY1HOPDIRECT,SAMEHELOBY2HOP,USER_IN_WHITELIST autolearn=no version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
 gatekeeper.allbsd.org
Cc: freebsd-rc@FreeBSD.org
X-BeenThere: freebsd-rc@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Discussion related to /etc/rc.d design and implementation."
 <freebsd-rc.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-rc>,
 <mailto:freebsd-rc-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-rc>
List-Post: <mailto:freebsd-rc@freebsd.org>
List-Help: <mailto:freebsd-rc-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-rc>,
 <mailto:freebsd-rc-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Oct 2012 21:48:43 -0000

----Security_Multipart(Sun_Oct_28_06_47_01_2012_365)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Chris Rees <utisoft@gmail.com> wrote
  in <201210272130.q9RLU1C8085928@freefall.freebsd.org>:

ut> The following reply was made to PR conf/167566; it has been noted by GNATS.
ut>
ut> From: Chris Rees <utisoft@gmail.com>
ut> To: bug-followup@freebsd.org
ut> Cc:
ut> Subject: Re: conf/167566
ut> Date: Sat, 27 Oct 2012 22:29:03 +0100
ut>
ut>  >  Which module do you refer in "...the module is loaded, ...",
ut>  >  ipfw_nat.ko or ipdivert.ko?
ut>  >
ut>  >  In my understanding the problem occurs only when ipfw attempts to
ut>  >  load firewall rules including a "divert" directive and ipdivert.ko is
ut>  >  not loaded at that time.  natd(8) also requires ipdivert.ko, but
ut>  >  rc.d/natd already has required_modules="ipdivert".
ut>  >  firewall_nat_enable is a knob for in-kernel NAT (this requires
ut>  >  ipfw_nat.ko), so more orthogonal way would be like the following
ut>  >  patch:
ut>  >
ut>  >  http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121028-1.diff
ut>  >
ut>  >  It is still unclear to me what is harmful with "checkyesno
ut>  >  natd_enable" here.  Can you elaborate it a little more?
ut>
ut>  Check rcorder:
ut>
ut>  [crees@pegasus]~% rcorder /etc/rc.d/* | grep -E 'natd|ipfw'
ut>  /etc/rc.d/ipfw
ut>  /etc/rc.d/natd
ut>
ut>  That means that natd doesn't run until after ipfw.  This means that on
ut>  boot, when ipfw runs, neither ipfw_nat nor ipdivert are installed,
ut>  *regardless of the state of natd_enable*.

 The rc.d/ipfw script has $required_modules and the modules listed
 there are installed before ipfw(8) runs.  It has nothing to do with
 rc.d/natd and its order even if it uses "checkyesno natd_enable".
 Why do you think these modules are not loaded when rc.d/ipfw runs?

ut>  Therefore, checkyesno natd_enable does not guarantee that either
ut>  ipfw_nat or ipdivert is loaded *at the time rc.d/ipfw is run*.

-- Hiroki

----Security_Multipart(Sun_Oct_28_06_47_01_2012_365)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (FreeBSD)

iEYEABECAAYFAlCMVlUACgkQTyzT2CeTzy3IVACeN4UjO9Ad6fa3CNDSTuPqdkmc
U2YAnjymgAqHiHxR5M8/a0V8eSyRtsDM
=Sh/O
-----END PGP SIGNATURE-----

----Security_Multipart(Sun_Oct_28_06_47_01_2012_365)----