ipfw fwd not working in 6.2-release

Jonathan McKeown jonathan at hst.org.za
Fri Apr 13 07:25:40 UTC 2007

[Reordered, freebsd-questions re-added]
On Thursday 12 April 2007 20:58, Terry Todd wrote:
> On Thu, Apr 05, 2007 at 04:20:22PM +0200, Jonathan McKeown wrote:
> > On Thursday 05 April 2007 16:01, Jonathan McKeown wrote:
> > > > On Thursday 05 April 2007 15:42, Terry Todd wrote:
> >
> > [ipfw not accepting fwd rules when kernel built with
> > and I agreed, saying]
> >
> > > Has the way ipfw.ko is built changed? Do we need to compile ipfw into
> > > the kernel to use ipfw fwd rules now? Or can I force ipfw.ko to be
> > > rebuilt with forwarding included?
> >
> > I'm on my way home now, but a quick look at the source suggests that
> > unless ipfw.ko is built with this option set, rule-based forwarding is
> > disabled - and indeed this message appears in my boot messages.
> >
> > Presumably the option is not fed to the module during a buildkernel.
> >
> > I'm going to try building just that module with the option set.
> Have you made any progress on this?
> Thanks,

I must admit I gave up on rebuilding the module. My rationale for using 
ipfw.ko rather than options IPFIREWALL was to reduce the number of custom 
kernels I run (I have several servers throughout South Africa and in London, 
with a central build system). It dawned on me that if I'm using options 
IPFIREWALL_FORWARD I'm already building a custom kernel anyway, so I might as 
well add options IPFIREWALL as well.

That worked.

The alternative seems to be to edit the Makefile for ipfw - which I didn't 
want to do as I'm building multiple kernels for multiple machines on my build 
box. If you're building one kernel on the box it's going to be installed on, 
it looks to me as though the place to start is /sys/modules/ipfw/Makefile, 
which I'm quoting in its entirety as it's a short file:

# $FreeBSD: src/sys/modules/ipfw/Makefile,v 2006/09/19 15:45:21 csjp 
Exp $

.PATH: ${.CURDIR}/../../netinet

KMOD=   ipfw
SRCS=   ip_fw2.c ip_fw_pfil.c
SRCS+=  opt_inet6.h opt_ipsec.h opt_mac.h

#If you want it verbose
#If you want it to pass all packets by default

.if !defined(KERNBUILDDIR)
.if !defined(NO_INET6)
        echo "#define INET6 1" > ${.TARGET}

.include <bsd.kmod.mk>

It looks as though you would need to add

to build an ipfw.ko which supports forward rules. You can see quickly whether 
you have succeeded, as ipfw (built-in or loaded as module) puts a line into 
your boot messages which tells you whether ``rule-based forwarding'' is 
enabled or disabled.

This may be more of a question for -hackers than -questions, but I'd be 
interested to know why modules ignore kernel options and whether there's any 
way to change or override that.


More information about the freebsd-questions mailing list