Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 01 Jul 2004 14:08:27 +0200
From:      Ian FREISLICH <if@hetzner.co.za>
To:        freebsd@stateautomation.com
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: ipdivert rule will not load 
Message-ID:  <E1Bg0Md-0007WQ-00@hetzner.co.za>
In-Reply-To: Message from freebsd@stateautomation.com  <BF7916625596914581732F223B113D33108E84@MELEXC01>
next in thread | previous in thread | raw e-mail | index | archive | help 
> 
> > freebsd@stateautomation.com schrieb:
> > 
> > > ipfw will not accept a DIVERT rule. e.g the rule I am trying to add is..
> > 
> > > ipfw add 3000 divert 8668 ip from any to any via sis0 
> > > The response I get is... ipfw: getsockopt(IP_FW_ADD): Invalid argument 
> > > I have built a custom kernel with the following optional lines 
> > > options IPFIREWALL 
> > > options IPFIREWALL_VERBOSE 
> > > options IPFIREWALL_VERBOSE_LIMIT 
> > > options IPDIVERT 
> > > Does anyone know why the system will not accept the divert rule?
> > Thankyou.
> > 
> 	J.S.
> 
> > The options seem to be correct, however the error message indicates
> > the lack of 'divert' in the kernel. Are you sure you properly
> > built and *installed* your custom kernel? Check the output of
> > 'dmesg | grep divert', you should see '... divert enabled...',
> > otherwise something went wrong with your kernel build.
> > 
> > Thomas
> > 
> > 
> 	Thomas, you are right - thankyou. The output of "dmesg | grep
> divert" shows that divert is disabled.
> 	kldstat also shows that the loadable module ipfw.ko is loaded which
> suggests that that may
> 	be stopping ipfw being loaded in the main kernel (and therefore
> divert sockets not being available -
> 	I read this in a post in the archives).  

No, that would be the other way around. If the firewall is built
into the kernel, the module won't load.  If you see the module using
kldstat, then you're not running the kernel that you think you are.
Are you *sure* that you correctly built, and *installed* your custom
kernel?  'Install' includes a reboot because that's currently the
only way I know of to load the new kernel.

I'm not sure if you're running FreeBSD-4.x or FreeBSD-5.x.  So,
make sure that /kernel (for FreeBSD-4.x) or /boot/kernel (for
FreeBSD-5.x) has roughly the same modification time as when you
built and installed the kernel.

Ian

--
Ian Freislich

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1Bg0Md-0007WQ-00>