Date: Fri, 13 Apr 2007 08:57:15 -0500 From: Terry Todd <tlt@badger.tltodd.com> To: Jonathan McKeown <jonathan@hst.org.za> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw fwd not working in 6.2-release Message-ID: <20070413085715.B15209@badger.tltodd.com> In-Reply-To: <200704130928.05581.jonathan@hst.org.za>; from jonathan@hst.org.za on Fri, Apr 13, 2007 at 09:28:05AM %2B0200 References: <20070403105841.A98763@badger.tltodd.com> <200704051620.22407.jonathan@hst.org.za> <20070412135824.A82713@badger.tltodd.com> <200704130928.05581.jonathan@hst.org.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 13, 2007 at 09:28:05AM +0200, Jonathan McKeown wrote:
> [Reordered, freebsd-questions re-added]
> On Thursday 12 April 2007 20:58, Terry Todd wrote:
> > On Thu, Apr 05, 2007 at 04:20:22PM +0200, Jonathan McKeown wrote:
> > > On Thursday 05 April 2007 16:01, Jonathan McKeown wrote:
> > > > > On Thursday 05 April 2007 15:42, Terry Todd wrote:
> > >
> > > [ipfw not accepting fwd rules when kernel built with
> > > options IPFIREWALL_FORWARD
> > > and I agreed, saying]
> > >
> > > > Has the way ipfw.ko is built changed? Do we need to compile ipfw into
> > > > the kernel to use ipfw fwd rules now? Or can I force ipfw.ko to be
> > > > rebuilt with forwarding included?
> > >
> > > I'm on my way home now, but a quick look at the source suggests that
> > > unless ipfw.ko is built with this option set, rule-based forwarding is
> > > disabled - and indeed this message appears in my boot messages.
> > >
> > > Presumably the option is not fed to the module during a buildkernel.
> > >
> > > I'm going to try building just that module with the option set.
> >
> > Have you made any progress on this?
> >
> > Thanks,
>
> I must admit I gave up on rebuilding the module. My rationale for using
> ipfw.ko rather than options IPFIREWALL was to reduce the number of custom
> kernels I run (I have several servers throughout South Africa and in London,
> with a central build system). It dawned on me that if I'm using options
> IPFIREWALL_FORWARD I'm already building a custom kernel anyway, so I might as
> well add options IPFIREWALL as well.
>
> That worked.
>
> The alternative seems to be to edit the Makefile for ipfw - which I didn't
> want to do as I'm building multiple kernels for multiple machines on my build
> box. If you're building one kernel on the box it's going to be installed on,
> it looks to me as though the place to start is /sys/modules/ipfw/Makefile,
> which I'm quoting in its entirety as it's a short file:
>
> ========
> # $FreeBSD: src/sys/modules/ipfw/Makefile,v 1.21.2.2 2006/09/19 15:45:21 csjp
> Exp $
>
> .PATH: ${.CURDIR}/../../netinet
>
> KMOD= ipfw
> SRCS= ip_fw2.c ip_fw_pfil.c
> SRCS+= opt_inet6.h opt_ipsec.h opt_mac.h
>
> CFLAGS+= -DIPFIREWALL
> #
> #If you want it verbose
> #CFLAGS+= -DIPFIREWALL_VERBOSE
> #CFLAGS+= -DIPFIREWALL_VERBOSE_LIMIT=100
> #
> #If you want it to pass all packets by default
> #CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT
> #
>
> .if !defined(KERNBUILDDIR)
> .if !defined(NO_INET6)
> opt_inet6.h:
> echo "#define INET6 1" > ${.TARGET}
> .endif
> .endif
>
> .include <bsd.kmod.mk>
> ========
>
> It looks as though you would need to add
> CFLAGS += -DIPFIREWALL_FORWARD
>
> to build an ipfw.ko which supports forward rules. You can see quickly whether
> you have succeeded, as ipfw (built-in or loaded as module) puts a line into
> your boot messages which tells you whether ``rule-based forwarding'' is
> enabled or disabled.
>
> This may be more of a question for -hackers than -questions, but I'd be
> interested to know why modules ignore kernel options and whether there's any
> way to change or override that.
>
> Jonathan
To summarize.
adding both lines:
options IPFIREWALL
options IPFIREWALL_FORWARD
works
adding just the one line:
options IPFIREWALL_FORWARD
does not work.
Thanks, very much.
Terry Todd
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070413085715.B15209>