conf/153155: [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on start if nat enabled

Tue Dec 14 19:50:09 UTC 2010

>Number:         153155
>Category:       conf
>Synopsis:       [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on start if nat enabled
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Dec 14 19:50:08 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Thomas Sandford
>Release:        FreeBSD 8.2-BETA1 i386
>Organization:
>Environment:
FreeBSD fbsd-8.2 8.2-BETA1 FreeBSD 8.2-BETA1 #0: Sun Dec 5 02:13:37 UTC 2010 root at almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
/etc/rc.d/ipfw fails to load the ipdivert module when natd is enabled.

This causes the divert rules that /etc/rc.firewall adds in this case to fail on system boot, with the following error message displayed during ipfw rule load:
ipfw: getsockopt(IP_FW_ADD): Invalid argument

Restarting ipfw works around the problem as /etc/rc.d/natd (which is run _after_ ipfw is intialised) DOES load ipdivert.
>How-To-Repeat:
In /etc/rc.conf

===
..
natd_enable="YES"
natd_interface="em0"
firewall_enable="YES"
firewall_type="Client"
..
===
>Fix:
Apply the attached patch.

This is verified to fix the problem in 8.2-BETA1, also 8.1-RELEASE. The patched file is identical in HEAD (against which the patch has been created) and 8.2-BETA1.

Patch attached with submission follows:

Index: rc.d/ipfw
===================================================================

--- rc.d/ipfw	(revision 216439)
+++ rc.d/ipfw	(working copy)
@@ -31,6 +31,10 @@
 			required_modules="$required_modules ipfw_nat"
 		fi
 	fi
+
+	if checkyesno natd_enable; then
+		required_modules="$required_modules ipdivert"
+	fi
 }
 
 ipfw_start()


>Release-Note:
>Audit-Trail:
>Unformatted:
