From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 7 14:30:28 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9FB71106564A; Mon, 7 Mar 2011 14:30:28 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id E0D978FC12; Mon, 7 Mar 2011 14:30:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id p27E06DL071408; Tue, 8 Mar 2011 01:00:06 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 8 Mar 2011 01:00:05 +1100 (EST) From: Ian Smith To: Thomas Sandford In-Reply-To: <4D74C296.70204@paradisegreen.co.uk> Message-ID: <20110308001102.W68517@sola.nimnet.asn.au> References: <4D74C296.70204@paradisegreen.co.uk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org, freebsd-stable@freebsd.org, Dave Johnson Subject: Re: Kernel Update / IPFW not working X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2011 14:30:28 -0000 On Mon, 7 Mar 2011, Thomas Sandford wrote: > On 06/03/2011 14:23, Dave Johnson wrote: > > An IPFW problem when going from release to stable on 8.2 > > > > An help gladly accepted > > > > LOG ON > > > > Flushed all rules. > > 00010 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 > > 00030 divert 8668 ip from any to any via bge0 > > ipfw: getsockopt(IP_FW_ADD): Invalid argument > > 50000 allow ip from any to any > > Firewall rules loaded. > > Starting natd. > > > > rc.conf > > defaultrouter="192.168.0.1" > > gateway_enable="YES" > > hostname="xxx.xxx.xxx" > > ifconfig_bge0="inet 192.168.0.11 netmask 255.255.255.0" > > ifconfig_em0="inet 192.168.1.2 netmask 255.255.255.0" > > keymap="us.iso" > > moused_enable="YES" > > sshd_enable="YES" > > firewall_enable="YES" > > firewall_script="/etc/rc.firewall" > > natd_program="/sbin/natd" > > natd_enable="YES" > > natd_interface="bge0" > > natd_flags="-f /etc/natd.conf" > > dhcpd_enable="NO" > > dhcpd_flags="-q" > > dhcpd_conf="/usr/local/etc/dhcpd.conf" > > dhcpd_ifaces="em0" > > dhcpd_withumask="022" > > > > ... [additional config which doesn't further isolate the problem snipped] > > ... Beg to differ. 'ipfw fwd' still requires building a custom kernel with options IPFIREWALL_FORWARD last I heard. Julian's explained a few times that it's not compiled in by default for performance reasons, and can't be isolated to modules as it adds code in multiple parts of the stack. > It's a bug with the ipfw / natd startup scripts. > > See: > http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/148137 > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/148928 > http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/153155 > > The latter has a patch to fix the problem. It's a similar but not quite the same issue, albeit the same message. Quoting your conf/153155: : /etc/rc.d/ipfw fails to load the ipdivert module when natd is enabled. : : This causes the divert rules that /etc/rc.firewall adds in this case to : fail on system boot, with the following error message displayed during : ipfw rule load: : ipfw: getsockopt(IP_FW_ADD): Invalid argument : : Restarting ipfw works around the problem as /etc/rc.d/natd (which is run : _after_ ipfw is intialised) DOES load ipdivert. And requoting Dave's: : > KERNEL : > : > options IPFIREWALL : > options IPFIREWALL_VERBOSE : > options IPFIREWALL_VERBOSE_LIMIT=5 : > options IPFIREWALL_DEFAULT_TO_ACCEPT : > options IPDIVERT : > options DUMMYNET In this case ipfw was built into kernel, including IPDIVERT, so it's not a failure to load that module but lack of IPFIREWALL_FORWARD, I believe. Hopefully hrs@ is still looking into patches including yours and mine re /etc/rc.d script module loading order and natd vs kernel nat issues .. cheers, Ian