From owner-freebsd-net@FreeBSD.ORG  Sun Apr 17 16:54:08 2011
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9B23B106564A;
	Sun, 17 Apr 2011 16:54:08 +0000 (UTC)
	(envelope-from smithi@nimnet.asn.au)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
	by mx1.freebsd.org (Postfix) with ESMTP id EEA788FC0C;
	Sun, 17 Apr 2011 16:54:07 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id p3HGriGi080562;
	Mon, 18 Apr 2011 02:53:44 +1000 (EST)
	(envelope-from smithi@nimnet.asn.au)
Date: Mon, 18 Apr 2011 02:53:43 +1000 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: "J. Hellenthal" <jhell@DataIX.net>
In-Reply-To: <20110417060117.GA20390@DataIX.net>
Message-ID: <20110418010850.Q35056@sola.nimnet.asn.au>
References: <349334508.1236453.1302976895873.JavaMail.root@sz0128a.westchester.pa.mail.comcast.net>
	<20110417150456.J35056@sola.nimnet.asn.au>
	<20110417060117.GA20390@DataIX.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-net@freebsd.org, hrs@freebsd.org, rondzierwa@comcast.net
Subject: Re: natd starting after firewall rules are loaded
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Apr 2011 16:54:08 -0000

On Sun, 17 Apr 2011, J. Hellenthal wrote:
 > On Sun, Apr 17, 2011 at 03:36:40PM +1000, Ian Smith wrote:
 > >On Sat, 16 Apr 2011, rondzierwa@comcast.net wrote:
 > >
 > > > After the firewall rules are loaded, the rc script then loads natd, 
 > > > Once the system is up, i can ipfw list and the divert command is, 
 > > > in fact, not there, but by this time natd is running. If I run the rc.firewall 
 > > > script interactively, it completes successfully and the divert rule 
 > > > is in the list, and everyone is happy again. 
 > >
 > >There are several outstanding PRs about this and related issues; copying 
 > >hrs@ who grabbed these PRs a while ago.  The quick fix is to add
 > >
 > >ipdivert_load="YES"
 > >
 > >to /boot/loader.conf so it's there before ipfw & natd start.  You still 
 > >need ipfw_enable=YES and natd_enable=YES in /etc/rc.conf
 > >
 > > > In 4.9 there used to be a rc.network script that started natd before 
 > > > it loaded the firewall rules. I do not see it in 8.2 anymore, instead 
 > > > it looks like rc simply runs the scripts in rc.d alphabetically, so natd 
 > > > comes after ipfw. 
 > >
 > >Not alphabetically but according to rcorder(8).  /etc/rc.d/natd has 
 > >keyword NOSTART and is now only run when /etc/rc.d/ipfw invokes it, but 

Sorry, it has 'KEYWORD: nostart nojail', so /etc/rc.d/natd is not run by 
rc on system (or jail) startup, enabled or not.

 > >as you've seen, ipfw's attempt to install divert rule(s) fails for want 
 > >of ipdivert.ko - which /etc/rc.d/natd does load, but too late.
 [..]

 > Add the following to change the order of the scripts in which they run.
 > 
 > /etc/rc.d/natd:
 > # BEFORE: ipfw
 > 
 > /etc/rc.d/ipfw:
 > # AFTER: natd
 > 
 > And that will change the order in which the scripts execute. whether
 > this has any implications on other running daemons you will have to
 > check but as far as the rcorder(8) goes that will put ipfw executing
 > just after natd.

A solution for many ordering problems, but not this one.

It's been an ongoing tug'o'war for years, but recent consensus starts 
and stops natd from /etc/rc.d/ipfw, loading ipfw rules before starting 
natd and other 'firewall_coscripts', only then enabling the firewall; 
vice versa on stopping and so, restarting.

For this bug, ipfw just lacks requiring module ipdivert when natd is 
enabled (and firewall_nat is not enabled, but that's another issue :)

 > rcorder /etc/rc.d/*
 > [...]
 > /etc/rc.d/routed
 > /etc/rc.d/defaultroute
 > /etc/rc.d/natd
 > /etc/rc.d/ipfw
 > /etc/rc.d/netoptions
 > /etc/rc.d/NETWORKING
 > [...]

natd won't run on startup; ipfw will still run natd after ipfw rules are 
loaded but still needs ipdivert.ko loaded before loading divert rules :)

 > PS: For those with commit bits...
 > $ rcorder /etc/rc.d/ipfw
 > rcorder: requirement `ppp' in file `/etc/rc.d/ipfw' has no providers.
 > /etc/rc.d/ipfw
 > 
 > Dont know why because,
 > $ grep -n ppp /etc/rc.d/* | grep PROVIDE
 > /etc/rc.d/ppp:6:# PROVIDE: ppp

!rcorder /etc/rc.d/ipfw /etc/rc.d/ppp
rcorder: requirement `netif' in file `/etc/rc.d/ppp' has no providers.
/etc/rc.d/ppp
/etc/rc.d/ipfw

and so on .. rcorder only considers files provided as arguments.

Ron: 4.6 to 8.2 is quite a jump, maybe time to rescan the ol' Handbook?

% find /sys/ -name NOTES
/sys/conf/NOTES
/sys/amd64/conf/NOTES
/sys/i386/conf/NOTES
[..]

cheers, Ian