Request for policy decision: kernel nat vs/and/or natd

Hiroki Sato hrs at FreeBSD.org
Sat Jan 15 16:12:53 UTC 2011 

Ian Smith <smithi at nimnet.asn.au> wrote
  in <20110108220300.Q15397 at sola.nimnet.asn.au>:

sm> On Sat, 8 Jan 2011 15:02:29 +1100, Ian Smith wrote:
sm>  > On Fri, 7 Jan 2011, Brandon Gooch wrote:
sm>  >  > On Thu, Dec 23, 2010 at 8:58 AM, Ian Smith <smithi at nimnet.asn.au> wrote:
sm> [..]
sm>  >  > > We could:
sm>  >  > >
sm>  >  > > 1) Preference kernel nat over natd when both are enabled.
sm>  >  >
sm>  >  > I vote for #1.
sm>  >
sm>  > Thanks.  So far, that makes an overwhelming majority of 2 / NIL :)
sm>  >
sm>  > I see that hrs at freebsd.org has just grabbed two related PRs:
sm>  >
sm>  > kern/148928: [ipfw] Problem with loading of ipfw NAT rules during system startup
sm>  > conf/153155: [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on start if nat enabled
sm>  >
sm>  > so this seems a good time to work up patches to that effect for review
sm>  > (/etc/rc.d/ipfw, maybe natd, /etc/rc.firewall) later tonight my time.
sm>
sm> Ok, the attached patches are against HEAD, which is currently identical
sm> to 8-STABLE for these files.  rc.d_ipfw.patch also applies to 7-STABLE
sm> with an offset but rc.firewall.patch needs more work for 7.  I've no box
sm> on which to actually run-test tonight, and will be away for a few days.
sm>
sm> /etc/rc.d/ipfw:
sm>  . prefer kernel nat (loading ipfw_nat) to natd when both are enabled
sm>  . add ipdivert to required_modules - when only natd is enabled - as
sm>    proposed by Thomas Sandford in conf/153155 and also re kern/148928
sm>    also fixing the related issue in conf/148137 (and possibly others)
sm>  . prefix /etc/rc.d/natd to firewall_coscripts when only natd is enabled
sm>
sm> /etc/rc.d/natd:
sm>  . seems nothing is needed; has KEYWORD nostart and so should only be
sm>    started now by ipfw when natd - but not firewall_nat - is enabled
sm>
sm> /etc/rc.firewall:
sm>  . move firewall_nat and natd code into a function, setup_nat()
sm>    preferring kernel firewall_nat to natd if both are enabled
sm>  . couldn't resist tidying up that code to within 80 columns
sm>  . call setup_nat also in 'simple' ruleset, with same intent as
sm>    proposed in conf/148144 by David Naylor
sm>  . couldn't resist fixing unnecessarily long line in 'workstation'

 The patches look good to me, but one thing I am wondering is
 rc.d/natd invocation in rc.d/ipfw.  When natd_enable="YES", rc.d/natd
 invokes the daemon after the rc.d/ipfw script eventually even if
 firewall_nat_enable="YES".  What do you think about adding natd to
 REQUIRE: line of rc.d/ipfw?  Although I did not test it extensively,
 rc.d/natd can run safely before rc.d/ipfw and using REQUIRE is
 reasonable instead of using $firewall_coscripts from a viewpoint of
 the rc.d framework.

-- Hiroki
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ipfw/attachments/20110115/3512cb4e/attachment.pgp

More information about the freebsd-ipfw mailing list