Kernel Update / IPFW not working
Ian Smith
smithi at nimnet.asn.au
Mon Mar 7 14:30:28 UTC 2011
On Mon, 7 Mar 2011, Thomas Sandford wrote:
> On 06/03/2011 14:23, Dave Johnson wrote:
> > An IPFW problem when going from release to stable on 8.2
> >
> > An help gladly accepted
> >
> > LOG ON
> >
> > Flushed all rules.
> > 00010 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
> > 00030 divert 8668 ip from any to any via bge0
> > ipfw: getsockopt(IP_FW_ADD): Invalid argument
> > 50000 allow ip from any to any
> > Firewall rules loaded.
> > Starting natd.
> >
> > rc.conf
> > defaultrouter="192.168.0.1"
> > gateway_enable="YES"
> > hostname="xxx.xxx.xxx"
> > ifconfig_bge0="inet 192.168.0.11 netmask 255.255.255.0"
> > ifconfig_em0="inet 192.168.1.2 netmask 255.255.255.0"
> > keymap="us.iso"
> > moused_enable="YES"
> > sshd_enable="YES"
> > firewall_enable="YES"
> > firewall_script="/etc/rc.firewall"
> > natd_program="/sbin/natd"
> > natd_enable="YES"
> > natd_interface="bge0"
> > natd_flags="-f /etc/natd.conf"
> > dhcpd_enable="NO"
> > dhcpd_flags="-q"
> > dhcpd_conf="/usr/local/etc/dhcpd.conf"
> > dhcpd_ifaces="em0"
> > dhcpd_withumask="022"
> >
> > ... [additional config which doesn't further isolate the problem snipped]
> > ...
Beg to differ. 'ipfw fwd' still requires building a custom kernel with
options IPFIREWALL_FORWARD last I heard. Julian's explained a few times
that it's not compiled in by default for performance reasons, and can't
be isolated to modules as it adds code in multiple parts of the stack.
> It's a bug with the ipfw / natd startup scripts.
>
> See:
> http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/148137
> http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/148928
> http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/153155
>
> The latter has a patch to fix the problem.
It's a similar but not quite the same issue, albeit the same message.
Quoting your conf/153155:
: /etc/rc.d/ipfw fails to load the ipdivert module when natd is enabled.
:
: This causes the divert rules that /etc/rc.firewall adds in this case to
: fail on system boot, with the following error message displayed during
: ipfw rule load:
: ipfw: getsockopt(IP_FW_ADD): Invalid argument
:
: Restarting ipfw works around the problem as /etc/rc.d/natd (which is run
: _after_ ipfw is intialised) DOES load ipdivert.
And requoting Dave's:
: > KERNEL
: >
: > options IPFIREWALL
: > options IPFIREWALL_VERBOSE
: > options IPFIREWALL_VERBOSE_LIMIT=5
: > options IPFIREWALL_DEFAULT_TO_ACCEPT
: > options IPDIVERT
: > options DUMMYNET
In this case ipfw was built into kernel, including IPDIVERT, so it's not
a failure to load that module but lack of IPFIREWALL_FORWARD, I believe.
Hopefully hrs@ is still looking into patches including yours and mine re
/etc/rc.d script module loading order and natd vs kernel nat issues ..
cheers, Ian
More information about the freebsd-ipfw
mailing list