conf/153155: [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on
start if nat enabled
Thomas Sandford
freebsduser at paradisegreen.co.uk
Tue Dec 14 19:50:09 UTC 2010
>Number: 153155
>Category: conf
>Synopsis: [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on start if nat enabled
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Dec 14 19:50:08 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Thomas Sandford
>Release: FreeBSD 8.2-BETA1 i386
>Organization:
>Environment:
FreeBSD fbsd-8.2 8.2-BETA1 FreeBSD 8.2-BETA1 #0: Sun Dec 5 02:13:37 UTC 2010 root at almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
/etc/rc.d/ipfw fails to load the ipdivert module when natd is enabled.
This causes the divert rules that /etc/rc.firewall adds in this case to fail on system boot, with the following error message displayed during ipfw rule load:
ipfw: getsockopt(IP_FW_ADD): Invalid argument
Restarting ipfw works around the problem as /etc/rc.d/natd (which is run _after_ ipfw is intialised) DOES load ipdivert.
>How-To-Repeat:
In /etc/rc.conf
===
..
natd_enable="YES"
natd_interface="em0"
firewall_enable="YES"
firewall_type="Client"
..
===
>Fix:
Apply the attached patch.
This is verified to fix the problem in 8.2-BETA1, also 8.1-RELEASE. The patched file is identical in HEAD (against which the patch has been created) and 8.2-BETA1.
Patch attached with submission follows:
Index: rc.d/ipfw
===================================================================
--- rc.d/ipfw (revision 216439)
+++ rc.d/ipfw (working copy)
@@ -31,6 +31,10 @@
required_modules="$required_modules ipfw_nat"
fi
fi
+
+ if checkyesno natd_enable; then
+ required_modules="$required_modules ipdivert"
+ fi
}
ipfw_start()
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list