conf/167566

Hiroki Sato hrs at FreeBSD.org
Sat Oct 27 21:48:43 UTC 2012 

Chris Rees <utisoft at gmail.com> wrote
  in <201210272130.q9RLU1C8085928 at freefall.freebsd.org>:

ut> The following reply was made to PR conf/167566; it has been noted by GNATS.
ut>
ut> From: Chris Rees <utisoft at gmail.com>
ut> To: bug-followup at freebsd.org
ut> Cc:
ut> Subject: Re: conf/167566
ut> Date: Sat, 27 Oct 2012 22:29:03 +0100
ut>
ut>  >  Which module do you refer in "...the module is loaded, ...",
ut>  >  ipfw_nat.ko or ipdivert.ko?
ut>  >
ut>  >  In my understanding the problem occurs only when ipfw attempts to
ut>  >  load firewall rules including a "divert" directive and ipdivert.ko is
ut>  >  not loaded at that time.  natd(8) also requires ipdivert.ko, but
ut>  >  rc.d/natd already has required_modules="ipdivert".
ut>  >  firewall_nat_enable is a knob for in-kernel NAT (this requires
ut>  >  ipfw_nat.ko), so more orthogonal way would be like the following
ut>  >  patch:
ut>  >
ut>  >  http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121028-1.diff
ut>  >
ut>  >  It is still unclear to me what is harmful with "checkyesno
ut>  >  natd_enable" here.  Can you elaborate it a little more?
ut>
ut>  Check rcorder:
ut>
ut>  [crees at pegasus]~% rcorder /etc/rc.d/* | grep -E 'natd|ipfw'
ut>  /etc/rc.d/ipfw
ut>  /etc/rc.d/natd
ut>
ut>  That means that natd doesn't run until after ipfw.  This means that on
ut>  boot, when ipfw runs, neither ipfw_nat nor ipdivert are installed,
ut>  *regardless of the state of natd_enable*.

 The rc.d/ipfw script has $required_modules and the modules listed
 there are installed before ipfw(8) runs.  It has nothing to do with
 rc.d/natd and its order even if it uses "checkyesno natd_enable".
 Why do you think these modules are not loaded when rc.d/ipfw runs?

ut>  Therefore, checkyesno natd_enable does not guarantee that either
ut>  ipfw_nat or ipdivert is loaded *at the time rc.d/ipfw is run*.

-- Hiroki
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-rc/attachments/20121028/685cf79b/attachment.sig>

More information about the freebsd-rc mailing list