Date: Sun, 9 Jan 2011 01:30:54 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: freebsd-ipfw@freebsd.org Cc: Brandon Gooch <jamesbrandongooch@gmail.com>, Thomas Sandford <freebsduser@paradisegreen.co.uk>, hrs@freebsd.org, David Naylor <naylor.b.david@gmail.com> Subject: Re: Request for policy decision: kernel nat vs/and/or natd Message-ID: <20110108220300.Q15397@sola.nimnet.asn.au> In-Reply-To: <20110108141111.A15397@sola.nimnet.asn.au> References: <20101223233437.Q27345@sola.nimnet.asn.au> <AANLkTinXREwAvvSQDtA65je2OdWcDQ9qR8rCh3my_26A@mail.gmail.com> <20110108141111.A15397@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-401406621-1294486097=:15397 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <20110108223354.S15397@sola.nimnet.asn.au> On Sat, 8 Jan 2011 15:02:29 +1100, Ian Smith wrote: > On Fri, 7 Jan 2011, Brandon Gooch wrote: > > On Thu, Dec 23, 2010 at 8:58 AM, Ian Smith <smithi@nimnet.asn.au> wrote: [..] > > > We could: > > > > > > 1) Preference kernel nat over natd when both are enabled. > > > > I vote for #1. > > Thanks. So far, that makes an overwhelming majority of 2 / NIL :) > > I see that hrs@freebsd.org has just grabbed two related PRs: > > kern/148928: [ipfw] Problem with loading of ipfw NAT rules during system startup > conf/153155: [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on start if nat enabled > > so this seems a good time to work up patches to that effect for review > (/etc/rc.d/ipfw, maybe natd, /etc/rc.firewall) later tonight my time. Ok, the attached patches are against HEAD, which is currently identical to 8-STABLE for these files. rc.d_ipfw.patch also applies to 7-STABLE with an offset but rc.firewall.patch needs more work for 7. I've no box on which to actually run-test tonight, and will be away for a few days. /etc/rc.d/ipfw: . prefer kernel nat (loading ipfw_nat) to natd when both are enabled . add ipdivert to required_modules - when only natd is enabled - as proposed by Thomas Sandford in conf/153155 and also re kern/148928 also fixing the related issue in conf/148137 (and possibly others) . prefix /etc/rc.d/natd to firewall_coscripts when only natd is enabled /etc/rc.d/natd: . seems nothing is needed; has KEYWORD nostart and so should only be started now by ipfw when natd - but not firewall_nat - is enabled /etc/rc.firewall: . move firewall_nat and natd code into a function, setup_nat() preferring kernel firewall_nat to natd if both are enabled . couldn't resist tidying up that code to within 80 columns . call setup_nat also in 'simple' ruleset, with same intent as proposed in conf/148144 by David Naylor . couldn't resist fixing unnecessarily long line in 'workstation' I've resisted other patches (enabling icmp) that I added to conf/148144 for which I apologise to David; one thing at a time .. If folks prefer that this be submitted as yet another PR, please say. cheers, Ian --0-401406621-1294486097=:15397 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME=rc.d_ipfw.patch Content-Transfer-Encoding: BASE64 Content-ID: <20110108222817.C15397@sola.nimnet.asn.au> Content-Description: Content-Disposition: ATTACHMENT; FILENAME=rc.d_ipfw.patch LS0tIHJjLmRfaXBmdy4xLjI0CVNhdCBKYW4gIDggMTg6MTM6NDYgMjAxMQ0K KysrIGlwZncJU2F0IEphbiAgOCAyMTowMDoxOCAyMDExDQpAQCAtMjcsOSAr MjcsOSBAQA0KIAlmaQ0KIA0KIAlpZiBjaGVja3llc25vIGZpcmV3YWxsX25h dF9lbmFibGU7IHRoZW4NCi0JCWlmICEgY2hlY2t5ZXNubyBuYXRkX2VuYWJs ZTsgdGhlbg0KLQkJCXJlcXVpcmVkX21vZHVsZXM9IiRyZXF1aXJlZF9tb2R1 bGVzIGlwZndfbmF0Ig0KLQkJZmkNCisJCXJlcXVpcmVkX21vZHVsZXM9IiRy ZXF1aXJlZF9tb2R1bGVzIGlwZndfbmF0Ig0KKwllbGlmIGNoZWNreWVzbm8g bmF0ZF9lbmFibGU7IHRoZW4NCisJCXJlcXVpcmVkX21vZHVsZXM9IiRyZXF1 aXJlZF9tb2R1bGVzIGlwZGl2ZXJ0Ig0KIAlmaQ0KIH0NCiANCkBAIC0xMDUs NiArMTA1LDcgQEANCiB9DQogDQogbG9hZF9yY19jb25maWcgJG5hbWUNCi1m aXJld2FsbF9jb3NjcmlwdHM9Ii9ldGMvcmMuZC9uYXRkICR7ZmlyZXdhbGxf Y29zY3JpcHRzfSINCitjaGVja3llc25vIG5hdGRfZW5hYmxlICYmICEgY2hl Y2t5ZXNubyBmaXJld2FsbF9uYXRfZW5hYmxlICYmIFwNCisJZmlyZXdhbGxf Y29zY3JpcHRzPSIvZXRjL3JjLmQvbmF0ZCAke2ZpcmV3YWxsX2Nvc2NyaXB0 c30iDQogDQogcnVuX3JjX2NvbW1hbmQgJCoNCg== --0-401406621-1294486097=:15397 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME=rc.firewall.patch Content-Transfer-Encoding: BASE64 Content-ID: <20110108222817.B15397@sola.nimnet.asn.au> Content-Description: Content-Disposition: ATTACHMENT; FILENAME=rc.firewall.patch LS0tIHJjLmZpcmV3YWxsLjEuNjkJU2F0IEphbiAgOCAxODowNDoyOCAyMDEx DQorKysgcmMuZmlyZXdhbGwJU2F0IEphbiAgOCAyMToyNDo1NCAyMDExDQpA QCAtNTIsNyArNTIsNyBAQA0KICMgICBmaWxlbmFtZSAgICAtIHdpbGwgbG9h ZCB0aGUgcnVsZXMgaW4gdGhlIGdpdmVuIGZpbGVuYW1lIChmdWxsIHBhdGgg cmVxdWlyZWQpDQogIw0KICMgRm9yIGBgY2xpZW50JycgYW5kIGBgc2ltcGxl JycgdGhlIGVudHJpZXMgYmVsb3cgc2hvdWxkIGJlIGN1c3RvbWl6ZWQNCi0j IGFwcHJvcHJpYXRlbHkuDQorIyBhcHByb3ByaWF0ZWx5IHdpdGggcmMuY29u ZiB2YXJpYWJsZXMuDQogDQogIyMjIyMjIyMjIyMjDQogIw0KQEAgLTExMiw2 ICsxMTIsMjkgQEANCiAJJHtmd2NtZH0gYWRkIHBhc3MgaXB2Ni1pY21wIGZy b20gYW55IHRvIGFueSBpY21wNnR5cGVzIDIsMTM1LDEzNg0KIH0NCiANCitz ZXR1cF9uYXQgKCkgew0KKwlsb2NhbCBpZmxhZw0KKwlpZiBjaGVja3llc25v IGZpcmV3YWxsX25hdF9lbmFibGU7IHRoZW4NCisJCWlmIFsgLW4gIiR7Zmly ZXdhbGxfbmF0X2ludGVyZmFjZX0iIF07IHRoZW4NCisJCQlpZiBlY2hvICIk e2ZpcmV3YWxsX25hdF9pbnRlcmZhY2V9IiB8IFwNCisJCQkJZ3JlcCAtcSAt RSAnXlswLTldKyhcLlswLTldKyl7MCwzfSQnOyB0aGVuDQorCQkJCWlmbGFn PSJpcCAke2ZpcmV3YWxsX25hdF9pbnRlcmZhY2V9Ig0KKwkJCWVsc2UNCisJ CQkJaWZsYWc9ImlmICR7ZmlyZXdhbGxfbmF0X2ludGVyZmFjZX0iDQorCQkJ ZmkNCisJCQlmaXJld2FsbF9uYXRfZmxhZ3M9IiRpZmxhZyAke2ZpcmV3YWxs X25hdF9mbGFnc30iDQorCQkJJHtmd2NtZH0gbmF0IDEyMyBjb25maWcgbG9n ICR7ZmlyZXdhbGxfbmF0X2ZsYWdzfQ0KKwkJCSR7ZndjbWR9IGFkZCAkMSBu YXQgMTIzIGlwNCBmcm9tIGFueSB0byBhbnkgXA0KKwkJCQl2aWEgJHtmaXJl d2FsbF9uYXRfaW50ZXJmYWNlfQ0KKwkJZmkNCisJZWxpZiBjaGVja3llc25v IG5hdGRfZW5hYmxlOyB0aGVuDQorCQlpZiBbIC1uICIke25hdGRfaW50ZXJm YWNlfSIgXTsgdGhlbg0KKwkJCSR7ZndjbWR9IGFkZCAkMSBkaXZlcnQgbmF0 ZCBpcDQgZnJvbSBhbnkgdG8gYW55IFwNCisJCQkJdmlhICR7bmF0ZF9pbnRl cmZhY2V9DQorCQlmaQ0KKwlmaQ0KK30NCisNCiBpZiBbIC1uICIkezF9IiBd OyB0aGVuDQogCWZpcmV3YWxsX3R5cGU9IiR7MX0iDQogZmkNCkBAIC0xNDIs MzcgKzE2NSwxNyBAQA0KIHNldHVwX2lwdjZfbWFuZGF0b3J5DQogDQogIyMj IyMjIyMjIyMjDQotIyBOZXR3b3JrIEFkZHJlc3MgVHJhbnNsYXRpb24uICBB bGwgcGFja2V0cyBhcmUgcGFzc2VkIHRvIG5hdGQoOCkNCi0jIGJlZm9yZSB0 aGV5IGVuY291bnRlciB5b3VyIHJlbWFpbmluZyBydWxlcy4gIFRoZSBmaXJl d2FsbCBydWxlcw0KLSMgd2lsbCB0aGVuIGJlIHJ1biBhZ2FpbiBvbiBlYWNo IHBhY2tldCBhZnRlciB0cmFuc2xhdGlvbiBieSBuYXRkDQotIyBzdGFydGlu ZyBhdCB0aGUgcnVsZSBudW1iZXIgZm9sbG93aW5nIHRoZSBkaXZlcnQgcnVs ZS4NCisjIE5ldHdvcmsgQWRkcmVzcyBUcmFuc2xhdGlvbi4gIEFsbCBwYWNr ZXRzIGFyZSBwYXNzZWQgdG8ga2VybmVsIG5hdA0KKyMgb3IgbmF0ZCg4KSBi ZWZvcmUgdGhleSBlbmNvdW50ZXIgeW91ciByZW1haW5pbmcgcnVsZXMuICBU aGUgZmlyZXdhbGwNCisjIHJ1bGVzIHdpbGwgdGhlbiBiZSBydW4gYWdhaW4g b24gZWFjaCBwYWNrZXQgYWZ0ZXIgTkFUIHRyYW5zbGF0aW9uDQorIyBzdGFy dGluZyBhdCB0aGUgcnVsZSBudW1iZXIgZm9sbG93aW5nIHRoZSBuYXQgb3Ig ZGl2ZXJ0IHJ1bGUuDQogIw0KLSMgRm9yIGBgc2ltcGxlJycgZmlyZXdhbGwg dHlwZSB0aGUgZGl2ZXJ0IHJ1bGUgc2hvdWxkIGJlIHB1dCB0byBhDQotIyBk aWZmZXJlbnQgcGxhY2UgdG8gbm90IGludGVyZmVyZSB3aXRoIGFkZHJlc3Mt Y2hlY2tpbmcgcnVsZXMuDQorIyBGb3IgYGBzaW1wbGUnJyBmaXJld2FsbCB0 eXBlIHRoZSBuYXQgb3IgZGl2ZXJ0IHJ1bGUgaXMgaW5zdGFsbGVkIGluDQor IyBhIGRpZmZlcmVudCBwbGFjZSB0byBhdm9pZCBpbnRlcmZlcmluZyB3aXRo IGFkZHJlc3MtY2hlY2tpbmcgcnVsZXMuDQogIw0KIGNhc2UgJHtmaXJld2Fs bF90eXBlfSBpbg0KIFtPb11bUHBdW0VlXVtObl18W0NjXVtMbF1bSWldW0Vl XVtObl1bVHRdKQ0KLQljYXNlICR7bmF0ZF9lbmFibGV9IGluDQotCVtZeV1b RWVdW1NzXSkNCi0JCWlmIFsgLW4gIiR7bmF0ZF9pbnRlcmZhY2V9IiBdOyB0 aGVuDQotCQkJJHtmd2NtZH0gYWRkIDUwIGRpdmVydCBuYXRkIGlwNCBmcm9t IGFueSB0byBhbnkgdmlhICR7bmF0ZF9pbnRlcmZhY2V9DQotCQlmaQ0KLQkJ OzsNCi0JZXNhYw0KLQljYXNlICR7ZmlyZXdhbGxfbmF0X2VuYWJsZX0gaW4N Ci0JW1l5XVtFZV1bU3NdKQ0KLQkJaWYgWyAtbiAiJHtmaXJld2FsbF9uYXRf aW50ZXJmYWNlfSIgXTsgdGhlbg0KLQkJCWlmIGVjaG8gIiR7ZmlyZXdhbGxf bmF0X2ludGVyZmFjZX0iIHwgXA0KLQkJCQlncmVwIC1xIC1FICdeWzAtOV0r KFwuWzAtOV0rKXswLDN9JCc7IHRoZW4NCi0JCQkJZmlyZXdhbGxfbmF0X2Zs YWdzPSJpcCAke2ZpcmV3YWxsX25hdF9pbnRlcmZhY2V9ICR7ZmlyZXdhbGxf bmF0X2ZsYWdzfSINCi0JCQllbHNlDQotCQkJCWZpcmV3YWxsX25hdF9mbGFn cz0iaWYgJHtmaXJld2FsbF9uYXRfaW50ZXJmYWNlfSAke2ZpcmV3YWxsX25h dF9mbGFnc30iDQotCQkJZmkNCi0JCQkke2Z3Y21kfSBuYXQgMTIzIGNvbmZp ZyBsb2cgJHtmaXJld2FsbF9uYXRfZmxhZ3N9DQotCQkJJHtmd2NtZH0gYWRk IDUwIG5hdCAxMjMgaXA0IGZyb20gYW55IHRvIGFueSB2aWEgJHtmaXJld2Fs bF9uYXRfaW50ZXJmYWNlfQ0KLQkJZmkNCi0JCTs7DQotCWVzYWMNCisJc2V0 dXBfbmF0IDUwDQogZXNhYw0KIA0KICMjIyMjIyMjIyMjIw0KQEAgLTMxMSwx MyArMzE0LDcgQEANCiAJIyB0cmFuc2xhdGVkIGJ5IG5hdGQoOCkgd291bGQg bWF0Y2ggdGhlIGBkZW55JyBydWxlIGFib3ZlLiAgU2ltaWxhcmx5DQogCSMg YW4gb3V0Z29pbmcgcGFja2V0IG9yaWdpbmF0ZWQgZnJvbSBpdCBiZWZvcmUg YmVpbmcgdHJhbnNsYXRlZCB3b3VsZA0KIAkjIG1hdGNoIHRoZSBgZGVueScg cnVsZSBiZWxvdy4NCi0JY2FzZSAke25hdGRfZW5hYmxlfSBpbg0KLQlbWXld W0VlXVtTc10pDQotCQlpZiBbIC1uICIke25hdGRfaW50ZXJmYWNlfSIgXTsg dGhlbg0KLQkJCSR7ZndjbWR9IGFkZCBkaXZlcnQgbmF0ZCBpcDQgZnJvbSBh bnkgdG8gYW55IHZpYSAke25hdGRfaW50ZXJmYWNlfQ0KLQkJZmkNCi0JCTs7 DQotCWVzYWMNCisJc2V0dXBfbmF0DQogDQogCSMgU3RvcCBSRkMxOTE4IG5l dHMgb24gdGhlIG91dHNpZGUgaW50ZXJmYWNlDQogCSR7ZndjbWR9IGFkZCBk ZW55IGFsbCBmcm9tIDEwLjAuMC4wLzggdG8gYW55IHZpYSAke29pZn0NCkBA IC01MTksNyArNTE2LDcgQEANCiANCiAJIyBEZW55IGFuZCAoaWYgd2FudGVk KSBsb2cgdGhlIHJlc3QgdW5jb25kaXRpb25hbGx5Lg0KIAlsb2c9IiINCi0J aWYgWyAke2ZpcmV3YWxsX2xvZ2Rlbnk6LXh9ID0gIllFUyIgLW8gJHtmaXJl d2FsbF9sb2dkZW55Oi14fSA9ICJ5ZXMiIF0gOyB0aGVuDQorCWlmIGNoZWNr eWVzbm8gZmlyZXdhbGxfbG9nZGVueTsgdGhlbg0KIAkgIGxvZz0ibG9nIGxv Z2Ftb3VudCA1MDAiCSMgVGhlIGRlZmF1bHQgb2YgMTAwIGlzIHRvbyBsb3cu DQogCSAgc3lzY3RsIG5ldC5pbmV0LmlwLmZ3LnZlcmJvc2U9MSA+L2Rldi9u dWxsDQogCWZpDQo= --0-401406621-1294486097=:15397--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110108220300.Q15397>