From owner-freebsd-net@FreeBSD.ORG Sun Apr 17 15:55:59 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A3314106566B for ; Sun, 17 Apr 2011 15:55:59 +0000 (UTC) (envelope-from rondzierwa@comcast.net) Received: from qmta03.westchester.pa.mail.comcast.net (qmta03.westchester.pa.mail.comcast.net [76.96.62.32]) by mx1.freebsd.org (Postfix) with ESMTP id 5E4098FC17 for ; Sun, 17 Apr 2011 15:55:59 +0000 (UTC) Received: from omta07.westchester.pa.mail.comcast.net ([76.96.62.59]) by qmta03.westchester.pa.mail.comcast.net with comcast id YfoV1g0021GhbT853fvzwy; Sun, 17 Apr 2011 15:55:59 +0000 Received: from sz0128.wc.mail.comcast.net ([76.96.58.192]) by omta07.westchester.pa.mail.comcast.net with comcast id Yfvz1g00348qnZY3TfvzF4; Sun, 17 Apr 2011 15:55:59 +0000 Date: Sun, 17 Apr 2011 15:55:59 +0000 (UTC) From: rondzierwa@comcast.net To: "J. Hellenthal" Message-ID: <104526415.1263850.1303055758946.JavaMail.root@sz0128a.westchester.pa.mail.comcast.net> In-Reply-To: <311011138.1263836.1303055734510.JavaMail.root@sz0128a.westchester.pa.mail.comcast.net> MIME-Version: 1.0 X-Originating-IP: [68.50.136.212] X-Mailer: Zimbra 6.0.5_GA_2431.RHEL5_64 (ZimbraWebClient - FF3.0 (Win)/6.0.5_GA_2427.RHEL4) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org, hrs@freebsd.org, Ian Smith Subject: Re: natd starting after firewall rules are loaded X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Apr 2011 15:55:59 -0000 All, thank you for your help. I went back to my old system and found that I did, in fact, build the kernel with several firewall options, including nat and divert. I added the same flags to my new 8.2 kernel and built it, and, since divert is already there, the firewall rules load the first time through. One other thing that's missing since 4.9 (and this probably needs to go to some other list) is the kernel LINT file. Unless you already know about these firewall options there is no where you can go to find them. The documentation makes some mention about them, but not all of them. I was lucky because I still had my old system lying around that I could look at, but I found these options in the first place because I looked at the LINT file and added any options that I thought were pertinent. man, i sound like my dad... back when I was your age, we had a kernel LINT file, you kids these days don't know anything... :-)) thanks again for your help, ron. ----- Original Message ----- From: "J. Hellenthal" To: "Ian Smith" Cc: rondzierwa@comcast.net, freebsd-net@freebsd.org, hrs@freebsd.org Sent: Sunday, April 17, 2011 2:01:17 AM Subject: Re: natd starting after firewall rules are loaded On Sun, Apr 17, 2011 at 03:36:40PM +1000, Ian Smith wrote: >On Sat, 16 Apr 2011, rondzierwa@comcast.net wrote: > > > After the firewall rules are loaded, the rc script then loads natd, > > Once the system is up, i can ipfw list and the divert command is, > > in fact, not there, but by this time natd is running. If I run the rc.firewall > > script interactively, it completes successfully and the divert rule > > is in the list, and everyone is happy again. > >There are several outstanding PRs about this and related issues; copying >hrs@ who grabbed these PRs a while ago. The quick fix is to add > >ipdivert_load="YES" > >to /boot/loader.conf so it's there before ipfw & natd start. You still >need ipfw_enable=YES and natd_enable=YES in /etc/rc.conf > > > In 4.9 there used to be a rc.network script that started natd before > > it loaded the firewall rules. I do not see it in 8.2 anymore, instead > > it looks like rc simply runs the scripts in rc.d alphabetically, so natd > > comes after ipfw. > >Not alphabetically but according to rcorder(8). /etc/rc.d/natd has >keyword NOSTART and is now only run when /etc/rc.d/ipfw invokes it, but >as you've seen, ipfw's attempt to install divert rule(s) fails for want >of ipdivert.ko - which /etc/rc.d/natd does load, but too late. > > > I can't believe i'm the only one using ipfw and natd with 8.2, so it > > seems to me that i just don't know the secret handshake that will > > make it work. > >In 4.x you had to build ipfw into kernel; lots of changes since :) > >cheers, Ian Add the following to change the order of the scripts in which they run. /etc/rc.d/natd: # BEFORE: ipfw /etc/rc.d/ipfw: # AFTER: natd And that will change the order in which the scripts execute. whether this has any implications on other running daemons you will have to check but as far as the rcorder(8) goes that will put ipfw executing just after natd. rcorder /etc/rc.d/* [...] /etc/rc.d/routed /etc/rc.d/defaultroute /etc/rc.d/natd /etc/rc.d/ipfw /etc/rc.d/netoptions /etc/rc.d/NETWORKING [...] PS: For those with commit bits... $ rcorder /etc/rc.d/ipfw rcorder: requirement `ppp' in file `/etc/rc.d/ipfw' has no providers. /etc/rc.d/ipfw Dont know why because, $ grep -n ppp /etc/rc.d/* | grep PROVIDE /etc/rc.d/ppp:6:# PROVIDE: ppp There are a few other scripts in there that generate other similiar errors but this one seem sketchy to me. -- Regards, J. Hellenthal WWJD