conf/167566: [rc.d] ipdivert module loading vs. ipfw rc.d order
issue
Dmitry Marakasov
amdmi3 at FreeBSD.org
Thu May 3 19:30:13 UTC 2012
>Number: 167566
>Category: conf
>Synopsis: [rc.d] ipdivert module loading vs. ipfw rc.d order issue
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu May 03 19:30:12 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Dmitry Marakasov
>Release: FreeBSD 9.0-RELEASE amd64
>Organization:
>Environment:
System: FreeBSD hades.panopticon 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 10 01:33:18 MSK 2012 root at hades.panopticon:/usr/obj/usr/src/sys/HADES amd64
>Description:
1) if ipfw divert rules are used, ipdivert module must be loaded before rules are added, or ipfw add'ing divert rule will fail
2) ipdivert module is loaded by rc.d/natd
3) there's nothing to make rc.d/natd executed before rc.d/ipfw, and in reality the order is incorrect:
% rcorder /etc/rc.d/* | grep -Ee 'ipfw|natd'
/etc/rc.d/ipfw
/etc/rc.d/natd
Thus, someone using natd will run into incomplete ruleset and will have to add ipdivert_load="YES" to /boot/loader.conf
Attached patch makes rc.d/natd run before rc.d/ipfw, so the module is automatcally loaded in time.
>How-To-Repeat:
>Fix:
--- rc.d-natd.patch begins here ---
diff --git etc/rc.d/natd etc/rc.d/natd
index 35f17bb..fcc8920 100755
--- etc/rc.d/natd
+++ etc/rc.d/natd
@@ -5,6 +5,7 @@
# PROVIDE: natd
# KEYWORD: nostart nojail
+# BEFORE: ipfw
. /etc/rc.subr
. /etc/network.subr
--- rc.d-natd.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list