ipfw fwd not working in 6.2-release

Terry Todd tlt at badger.tltodd.com
Fri Apr 13 14:01:06 UTC 2007 

On Fri, Apr 13, 2007 at 09:28:05AM +0200, Jonathan McKeown wrote:
> [Reordered, freebsd-questions re-added]
> On Thursday 12 April 2007 20:58, Terry Todd wrote:
> > On Thu, Apr 05, 2007 at 04:20:22PM +0200, Jonathan McKeown wrote:
> > > On Thursday 05 April 2007 16:01, Jonathan McKeown wrote:
> > > > > On Thursday 05 April 2007 15:42, Terry Todd wrote:
> > >
> > > [ipfw not accepting fwd rules when kernel built with
> > > options IPFIREWALL_FORWARD
> > > and I agreed, saying]
> > >
> > > > Has the way ipfw.ko is built changed? Do we need to compile ipfw into
> > > > the kernel to use ipfw fwd rules now? Or can I force ipfw.ko to be
> > > > rebuilt with forwarding included?
> > >
> > > I'm on my way home now, but a quick look at the source suggests that
> > > unless ipfw.ko is built with this option set, rule-based forwarding is
> > > disabled - and indeed this message appears in my boot messages.
> > >
> > > Presumably the option is not fed to the module during a buildkernel.
> > >
> > > I'm going to try building just that module with the option set.
> >
> > Have you made any progress on this?
> >
> > Thanks,
> 
> I must admit I gave up on rebuilding the module. My rationale for using 
> ipfw.ko rather than options IPFIREWALL was to reduce the number of custom 
> kernels I run (I have several servers throughout South Africa and in London, 
> with a central build system). It dawned on me that if I'm using options 
> IPFIREWALL_FORWARD I'm already building a custom kernel anyway, so I might as 
> well add options IPFIREWALL as well.
> 
> That worked.
> 
> The alternative seems to be to edit the Makefile for ipfw - which I didn't 
> want to do as I'm building multiple kernels for multiple machines on my build 
> box. If you're building one kernel on the box it's going to be installed on, 
> it looks to me as though the place to start is /sys/modules/ipfw/Makefile, 
> which I'm quoting in its entirety as it's a short file:
> 
> ========
> # $FreeBSD: src/sys/modules/ipfw/Makefile,v 1.21.2.2 2006/09/19 15:45:21 csjp 
> Exp $
> 
> .PATH: ${.CURDIR}/../../netinet
> 
> KMOD=   ipfw
> SRCS=   ip_fw2.c ip_fw_pfil.c
> SRCS+=  opt_inet6.h opt_ipsec.h opt_mac.h
> 
> CFLAGS+= -DIPFIREWALL
> #
> #If you want it verbose
> #CFLAGS+= -DIPFIREWALL_VERBOSE
> #CFLAGS+= -DIPFIREWALL_VERBOSE_LIMIT=100
> #
> #If you want it to pass all packets by default
> #CFLAGS+= -DIPFIREWALL_DEFAULT_TO_ACCEPT
> #
> 
> .if !defined(KERNBUILDDIR)
> .if !defined(NO_INET6)
> opt_inet6.h:
>         echo "#define INET6 1" > ${.TARGET}
> .endif
> .endif
> 
> .include <bsd.kmod.mk>
> ========
> 
> It looks as though you would need to add
> CFLAGS += -DIPFIREWALL_FORWARD
> 
> to build an ipfw.ko which supports forward rules. You can see quickly whether 
> you have succeeded, as ipfw (built-in or loaded as module) puts a line into 
> your boot messages which tells you whether ``rule-based forwarding'' is 
> enabled or disabled.
> 
> This may be more of a question for -hackers than -questions, but I'd be 
> interested to know why modules ignore kernel options and whether there's any 
> way to change or override that.
> 
> Jonathan



To summarize.

adding both lines:
options IPFIREWALL
options IPFIREWALL_FORWARD

works

adding just the one line:
options IPFIREWALL_FORWARD

does not work.

Thanks, very much.

Terry Todd

More information about the freebsd-questions mailing list