On Sun, 17 Apr 2011, J. Hellenthal wrote: > On Sun, Apr 17, 2011 at 03:36:40PM +1000, Ian Smith wrote: > >On Sat, 16 Apr 2011, rondzie...@comcast.net wrote: > > > > > After the firewall rules are loaded, the rc script then loads natd, > > > Once the system is up, i can ipfw list and the divert command is, > > > in fact, not there, but by this time natd is running. If I run the > > > rc.firewall > > > script interactively, it completes successfully and the divert rule > > > is in the list, and everyone is happy again. > > > >There are several outstanding PRs about this and related issues; copying > >hrs@ who grabbed these PRs a while ago. The quick fix is to add > > > >ipdivert_load="YES" > > > >to /boot/loader.conf so it's there before ipfw & natd start. You still > >need ipfw_enable=YES and natd_enable=YES in /etc/rc.conf > > > > > In 4.9 there used to be a rc.network script that started natd before > > > it loaded the firewall rules. I do not see it in 8.2 anymore, instead > > > it looks like rc simply runs the scripts in rc.d alphabetically, so natd > > > comes after ipfw. > > > >Not alphabetically but according to rcorder(8). /etc/rc.d/natd has > >keyword NOSTART and is now only run when /etc/rc.d/ipfw invokes it, but
Sorry, it has 'KEYWORD: nostart nojail', so /etc/rc.d/natd is not run by rc on system (or jail) startup, enabled or not. > >as you've seen, ipfw's attempt to install divert rule(s) fails for want > >of ipdivert.ko - which /etc/rc.d/natd does load, but too late. [..] > Add the following to change the order of the scripts in which they run. > > /etc/rc.d/natd: > # BEFORE: ipfw > > /etc/rc.d/ipfw: > # AFTER: natd > > And that will change the order in which the scripts execute. whether > this has any implications on other running daemons you will have to > check but as far as the rcorder(8) goes that will put ipfw executing > just after natd. A solution for many ordering problems, but not this one. It's been an ongoing tug'o'war for years, but recent consensus starts and stops natd from /etc/rc.d/ipfw, loading ipfw rules before starting natd and other 'firewall_coscripts', only then enabling the firewall; vice versa on stopping and so, restarting. For this bug, ipfw just lacks requiring module ipdivert when natd is enabled (and firewall_nat is not enabled, but that's another issue :) > rcorder /etc/rc.d/* > [...] > /etc/rc.d/routed > /etc/rc.d/defaultroute > /etc/rc.d/natd > /etc/rc.d/ipfw > /etc/rc.d/netoptions > /etc/rc.d/NETWORKING > [...] natd won't run on startup; ipfw will still run natd after ipfw rules are loaded but still needs ipdivert.ko loaded before loading divert rules :) > PS: For those with commit bits... > $ rcorder /etc/rc.d/ipfw > rcorder: requirement `ppp' in file `/etc/rc.d/ipfw' has no providers. > /etc/rc.d/ipfw > > Dont know why because, > $ grep -n ppp /etc/rc.d/* | grep PROVIDE > /etc/rc.d/ppp:6:# PROVIDE: ppp !rcorder /etc/rc.d/ipfw /etc/rc.d/ppp rcorder: requirement `netif' in file `/etc/rc.d/ppp' has no providers. /etc/rc.d/ppp /etc/rc.d/ipfw and so on .. rcorder only considers files provided as arguments. Ron: 4.6 to 8.2 is quite a jump, maybe time to rescan the ol' Handbook? % find /sys/ -name NOTES /sys/conf/NOTES /sys/amd64/conf/NOTES /sys/i386/conf/NOTES [..] cheers, Ian _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"