Date: Sat, 27 Oct 2012 21:50:01 GMT From: Hiroki Sato <hrs@FreeBSD.org> To: freebsd-rc@FreeBSD.org Subject: Re: conf/167566 Message-ID: <201210272150.q9RLo1xr087956@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR conf/167566; it has been noted by GNATS. From: Hiroki Sato <hrs@FreeBSD.org> To: utisoft@gmail.com, bug-followup@FreeBSD.org Cc: freebsd-rc@FreeBSD.org Subject: Re: conf/167566 Date: Sun, 28 Oct 2012 06:47:01 +0900 (JST) ----Security_Multipart(Sun_Oct_28_06_47_01_2012_365)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Chris Rees <utisoft@gmail.com> wrote in <201210272130.q9RLU1C8085928@freefall.freebsd.org>: ut> The following reply was made to PR conf/167566; it has been noted by GNATS. ut> ut> From: Chris Rees <utisoft@gmail.com> ut> To: bug-followup@freebsd.org ut> Cc: ut> Subject: Re: conf/167566 ut> Date: Sat, 27 Oct 2012 22:29:03 +0100 ut> ut> > Which module do you refer in "...the module is loaded, ...", ut> > ipfw_nat.ko or ipdivert.ko? ut> > ut> > In my understanding the problem occurs only when ipfw attempts to ut> > load firewall rules including a "divert" directive and ipdivert.ko is ut> > not loaded at that time. natd(8) also requires ipdivert.ko, but ut> > rc.d/natd already has required_modules="ipdivert". ut> > firewall_nat_enable is a knob for in-kernel NAT (this requires ut> > ipfw_nat.ko), so more orthogonal way would be like the following ut> > patch: ut> > ut> > http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121028-1.diff ut> > ut> > It is still unclear to me what is harmful with "checkyesno ut> > natd_enable" here. Can you elaborate it a little more? ut> ut> Check rcorder: ut> ut> [crees@pegasus]~% rcorder /etc/rc.d/* | grep -E 'natd|ipfw' ut> /etc/rc.d/ipfw ut> /etc/rc.d/natd ut> ut> That means that natd doesn't run until after ipfw. This means that on ut> boot, when ipfw runs, neither ipfw_nat nor ipdivert are installed, ut> *regardless of the state of natd_enable*. The rc.d/ipfw script has $required_modules and the modules listed there are installed before ipfw(8) runs. It has nothing to do with rc.d/natd and its order even if it uses "checkyesno natd_enable". Why do you think these modules are not loaded when rc.d/ipfw runs? ut> Therefore, checkyesno natd_enable does not guarantee that either ut> ipfw_nat or ipdivert is loaded *at the time rc.d/ipfw is run*. -- Hiroki ----Security_Multipart(Sun_Oct_28_06_47_01_2012_365)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iEYEABECAAYFAlCMVlUACgkQTyzT2CeTzy3IVACeN4UjO9Ad6fa3CNDSTuPqdkmc U2YAnjymgAqHiHxR5M8/a0V8eSyRtsDM =Sh/O -----END PGP SIGNATURE----- ----Security_Multipart(Sun_Oct_28_06_47_01_2012_365)----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201210272150.q9RLo1xr087956>