From owner-freebsd-net Fri Mar 3 6:12: 8 2000 Delivered-To: freebsd-net@freebsd.org Received: from crufty.research.bell-labs.com (crufty.research.bell-labs.com [204.178.16.49]) by hub.freebsd.org (Postfix) with SMTP id D756A37B5B2; Fri, 3 Mar 2000 06:12:03 -0800 (PST) (envelope-from raz@lucent.com) Received: from chair.dnrc.bell-labs.com ([135.180.161.201]) by crufty; Fri Mar 3 09:11:22 EST 2000 Received: from lucent.com (razpc [135.180.160.74]) by chair.dnrc.bell-labs.com (8.9.3/8.9.3) with ESMTP id JAA06540; Fri, 3 Mar 2000 09:11:20 -0500 (EST) Message-ID: <38BFC80D.73CFB75B@lucent.com> Date: Fri, 03 Mar 2000 09:11:25 -0500 From: dan raz X-Mailer: Mozilla 4.61 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-net@freebsd.org Cc: freebsd-ipfw@freebsd.org, shavitt@lucent.com Subject: A problem with verifing ipfw loaded in rc_network References: <38BFC3FD.3B01BA34@lucent.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We have a booting problem that is coming from the rc.network code. In our boot process, the ipfw is loaded with the appropriate flags (i.e. divert enable) but then rc.network fails to recognize it and it reloads ipfw to the kernel with a no-divert flag. The result is that the divert sockets do not work. Here is the relevant lines from the /var/log/message file: ......... Feb 29 11:06:38 heshvan /kernel: npx0: INT 16 interface Feb 29 11:06:38 heshvan /kernel: Intel Pentium detected, installing workaround for F00F bug Feb 29 11:06:38 heshvan /kernel: IP packet filtering initialized, divert enabled, rule-based forwarding enabled, unlimited logging Feb 29 11:06:38 heshvan /kernel: IP Filter: initialized. Default = pass all, Logging = disabled Feb 29 11:06:38 heshvan /kernel: changing root device to wd0s2a Feb 29 11:06:38 heshvan /kernel: IP packet filtering initialized, divert disabled, rule-based forwarding disabled, logging disabled Feb 29 11:06:48 heshvan mrouted[124]: mrouted version 3.9-beta3+IOS12 ................. Note, that first divert is enabled, and then after mounting / IP packet filtering is reinitialize, but now divert is disabled. It took us a while to track the problem to rc.network and related questions were posted in freebsd-questions, and freebsd-ipfw. This is the relevant code from rc.network: > # Initialize IP filtering using ipfw > echo "" > /sbin/ipfw -q flush > /dev/null 2>&1 > if [ $? = 0 ] ; then > firewall_in_kernel=1 > else > firewall_in_kernel=0 > fi > > if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then > if kldload ipfw; then > firewall_in_kernel=1 # module loaded successfully > echo "Kernel firewall module loaded." > else > echo "Warning: firewall kernel module failed to load." > fi > fi > It should verify that the ipfw is in kernel, and if not reload it. In our case the test (sbin/ipfw -q flush > /dev/null 2>&1 if [ $? = 0 ] ) does not work. We could not figure out why the simple test does not work, but we deleted these lines from rc.network and all seems to be working fine. Any ideas or suggestions? Danny -- Danny Raz Tel: 732-949-6712 Room 4G-637 Fax: 732-949-0399 Bell-Labs email: raz@dnrc.bell-labs.com 101 Crawfords Corner Road Holmdel, NJ 07733 - 3030 WWW: http://www.cs.bell-labs.com/~raz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message