Kernel Update / IPFW not working

Ian Smith smithi at nimnet.asn.au
Mon Mar 7 14:30:28 UTC 2011 

On Mon, 7 Mar 2011, Thomas Sandford wrote:
 > On 06/03/2011 14:23, Dave Johnson wrote:
 > > An IPFW problem when going from release to stable on 8.2
 > > 
 > > An help gladly accepted
 > > 
 > > LOG ON
 > > 
 > > Flushed all rules.
 > > 00010 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
 > > 00030 divert 8668 ip from any to any via bge0
 > > ipfw: getsockopt(IP_FW_ADD): Invalid argument
 > > 50000 allow ip from any to any
 > > Firewall rules loaded.
 > > Starting natd.
 > > 
 > > rc.conf
 > > defaultrouter="192.168.0.1"
 > > gateway_enable="YES"
 > > hostname="xxx.xxx.xxx"
 > > ifconfig_bge0="inet 192.168.0.11 netmask 255.255.255.0"
 > > ifconfig_em0="inet 192.168.1.2 netmask 255.255.255.0"
 > > keymap="us.iso"
 > > moused_enable="YES"
 > > sshd_enable="YES"
 > > firewall_enable="YES"
 > > firewall_script="/etc/rc.firewall"
 > > natd_program="/sbin/natd"
 > > natd_enable="YES"
 > > natd_interface="bge0"
 > > natd_flags="-f /etc/natd.conf"
 > > dhcpd_enable="NO"
 > > dhcpd_flags="-q"
 > > dhcpd_conf="/usr/local/etc/dhcpd.conf"
 > > dhcpd_ifaces="em0"
 > > dhcpd_withumask="022"
 > > 
 > > ... [additional config which doesn't further isolate the problem snipped]
 > > ...

Beg to differ.  'ipfw fwd' still requires building a custom kernel with 
options IPFIREWALL_FORWARD last I heard.  Julian's explained a few times 
that it's not compiled in by default for performance reasons, and can't 
be isolated to modules as it adds code in multiple parts of the stack.

 > It's a bug with the ipfw / natd startup scripts.
 > 
 > See:
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/148137
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/148928
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/153155
 > 
 > The latter has a patch to fix the problem.

It's a similar but not quite the same issue, albeit the same message.
Quoting your conf/153155:

: /etc/rc.d/ipfw fails to load the ipdivert module when natd is enabled.
:
: This causes the divert rules that /etc/rc.firewall adds in this case to 
: fail on system boot, with the following error message displayed during 
: ipfw rule load:
: ipfw: getsockopt(IP_FW_ADD): Invalid argument
: 
: Restarting ipfw works around the problem as /etc/rc.d/natd (which is run 
: _after_ ipfw is intialised) DOES load ipdivert.

And requoting Dave's:

: > KERNEL
: >
: > options IPFIREWALL
: > options IPFIREWALL_VERBOSE
: > options IPFIREWALL_VERBOSE_LIMIT=5
: > options IPFIREWALL_DEFAULT_TO_ACCEPT
: > options IPDIVERT
: > options DUMMYNET

In this case ipfw was built into kernel, including IPDIVERT, so it's not 
a failure to load that module but lack of IPFIREWALL_FORWARD, I believe.

Hopefully hrs@ is still looking into patches including yours and mine re 
/etc/rc.d script module loading order and natd vs kernel nat issues ..

cheers, Ian

More information about the freebsd-ipfw mailing list