Date: Sun, 28 Oct 2012 06:10:13 +0900 (JST) From: Hiroki Sato <hrs@FreeBSD.org> To: utisoft@gmail.com, bug-followup@FreeBSD.org Cc: freebsd-rc@FreeBSD.org Subject: Re: conf/167566 Message-ID: <20121028.061013.266535692469283796.hrs@allbsd.org> In-Reply-To: <201210271810.q9RIA1QZ069213@freefall.freebsd.org> References: <201210271810.q9RIA1QZ069213@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
----Security_Multipart(Sun_Oct_28_06_10_13_2012_145)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Chris Rees <utisoft@gmail.com> wrote in <201210271810.q9RIA1QZ069213@freefall.freebsd.org>: ut> The following reply was made to PR conf/167566; it has been noted by GNATS. ut> ut> From: Chris Rees <utisoft@gmail.com> ut> To: bug-followup@freebsd.org ut> Cc: ut> Subject: Re: conf/167566 ut> Date: Sat, 27 Oct 2012 19:05:23 +0100 ut> ut> On 27 October 2012 18:36, Hiroki Sato <hrs@freebsd.org> wrote: ut> > Chris Rees <utisoft@gmail.com> wrote ut> > in <201210252030.q9PKU1sK001139@freefall.freebsd.org>: ut> > ut> > ut> The following reply was made to PR conf/167566; it has been noted by GNATS. ut> > ut> ut> > ut> From: Chris Rees <utisoft@gmail.com> ut> > ut> To: bug-followup@freebsd.org ut> > ut> Cc: ut> > ut> Subject: Re: conf/167566 ut> > ut> Date: Thu, 25 Oct 2012 21:24:51 +0100 ut> > ut> ut> > ut> The correct fix would be to add REQUIRE: natd to ipfw. ut> > ut> ut> > ut> http://www.bayofrum.net/~crees/patches/167566.diff ut> > ut> ut> > ut> Please would someone take a look? ut> > ut> > I think ipdivert module should be loaded in the ipfw script when ut> > natd_enable=YES because ipfw_nat is loaded in that way. Can you (or ut> > anyone) test the patch at ut> > http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121027-1.diff ? ut> ut> Looking at the situation more closely with your hint, how about making ut> the required_modules only conditional on firewall_nat_enable? If ipfw ut> continues to run before nat then the checkyesno natd_enable is ut> actually harmful because it makes us assume that the module is loaded, ut> when it actually isn't yet. Which module do you refer in "...the module is loaded, ...", ipfw_nat.ko or ipdivert.ko? In my understanding the problem occurs only when ipfw attempts to load firewall rules including a "divert" directive and ipdivert.ko is not loaded at that time. natd(8) also requires ipdivert.ko, but rc.d/natd already has required_modules="ipdivert". firewall_nat_enable is a knob for in-kernel NAT (this requires ipfw_nat.ko), so more orthogonal way would be like the following patch: http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121028-1.diff It is still unclear to me what is harmful with "checkyesno natd_enable" here. Can you elaborate it a little more? -- Hiroki ----Security_Multipart(Sun_Oct_28_06_10_13_2012_145)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iEYEABECAAYFAlCMTbUACgkQTyzT2CeTzy3TiACfQHAupRALwGSpL8AvrLj54H55 bZwAn0ZvatrAAIHxOZPFBPt6Bs+YOy1E =M9VI -----END PGP SIGNATURE----- ----Security_Multipart(Sun_Oct_28_06_10_13_2012_145)----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121028.061013.266535692469283796.hrs>