Date: Wed, 11 Aug 2010 00:59:31 +0700 From: Eugene Grosbein <eugen@eg.sd.rdtc.ru> To: Alan Hicks <alan@p-o.co.uk> Cc: freebsd-stable@freebsd.org Subject: Re: NAT issue in 8.1 Message-ID: <20100810175931.GB63364@rdtc.ru> In-Reply-To: <4C61712E.7030704@p-o.co.uk> References: <4C61712E.7030704@p-o.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 10, 2010 at 04:33:02PM +0100, Alan Hicks wrote: > Having upgraded to Release-8.1, there appears to be an issue with > network address translation where a newly booted machine fails to setup > nat with the error 'ipfw: getsockopt(IP_FW_ADD): Invalid argument' That's because your kernel (GENERIC?) does not have ipdivert support enabled. That's not fatal, see later. > > Box has two interfaces em0 and xl0 (Dell PowerEdge 1600SC) > > rc.conf > ifconfig_xl0="inet 192.168.202.5 netmask 255.255.255.0" > ifconfig_em0="inet 192.168.0.2 netmask 255.255.255.0" > defaultrouter="192.168.0.1" > firewall_enable="YES" > firewall_type="open" > firewall_logging="yes" > natd_enable="YES" > natd_interface="em0" > > Boot excerpt from console, typed as it does not make it to > /var/log/messages so apologies for any typo's > > add net default: gateway 192.168.0.1 > Additional routing options: IP gateway=YES > Starting devd. > ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based > forwarding disabled, default to deny, logging disabled > load_dn_sched dn_sched FIFO loaded > load_dn_sched dn_sched QFQ loaded > load_dn_sched dn_sched RR loaded > load_dn_sched dn_sched WF2Q+ loaded > load_dn_sched dn_sched PRIO loaded > flushed all rules. > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 deny ip from any to ::1 > 00500 deny ip from ::1 to any > 00600 allow ipv6-icmp from :: to ff02::/16 > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 > 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 > 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 > ipfw: getsockopt(IP_FW_ADD): Invalid argument At this point, there is still no ipdivert support loaded. > 65000 allow ip from any to any > Firewall rules loaded. > Firewall logging enabled. > Starting natd. At this point, kernel module ipdivert.ko is loaded. > Loading /lib/libalias_cuseeme.so > Loading /lib/libalias_ftp.so > Loading /lib/libalias_irc.so > Loading /lib/libalias_nbt.so > Loading /lib/libalias_pptp.so > Loading /lib/libalias_skinny.so > Loading /lib/libalias_smedia.so > Aug 10 12:02:53 natd[869]: Aliasing to 192.168.0.2, mtu 1500 bytes > > Although all appears to be ok, machines on the xl0 192.168.202.0/24 > subnet can't see the internet. Running /etc/rc.firewall manually fixes > the issue. ipdivert.ko is loaded, hence re-loading firewall rules helps. > > The machine was upgraded from 8.0 using unmodified cvs sources using > buildkernel, buildworld, installworld, installkernel mergemaster. > > Any help appreciated. Just load ipdivert.ko earlies by means of loader.conf: echo 'ipdivert_load="YES"' >> /boot/loader.conf Alternatively, rebuild kernel with options IPFIREWALL and IPDIVERT Eugene Grosbein
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100810175931.GB63364>