Ian Smith <[email protected]> wrote in <[email protected]>:
sm> On Sat, 8 Jan 2011 15:02:29 +1100, Ian Smith wrote: sm> > On Fri, 7 Jan 2011, Brandon Gooch wrote: sm> > > On Thu, Dec 23, 2010 at 8:58 AM, Ian Smith <[email protected]> wrote: sm> [..] sm> > > > We could: sm> > > > sm> > > > 1) Preference kernel nat over natd when both are enabled. sm> > > sm> > > I vote for #1. sm> > sm> > Thanks. So far, that makes an overwhelming majority of 2 / NIL :) sm> > sm> > I see that [email protected] has just grabbed two related PRs: sm> > sm> > kern/148928: [ipfw] Problem with loading of ipfw NAT rules during system startup sm> > conf/153155: [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on start if nat enabled sm> > sm> > so this seems a good time to work up patches to that effect for review sm> > (/etc/rc.d/ipfw, maybe natd, /etc/rc.firewall) later tonight my time. sm> sm> Ok, the attached patches are against HEAD, which is currently identical sm> to 8-STABLE for these files. rc.d_ipfw.patch also applies to 7-STABLE sm> with an offset but rc.firewall.patch needs more work for 7. I've no box sm> on which to actually run-test tonight, and will be away for a few days. sm> sm> /etc/rc.d/ipfw: sm> . prefer kernel nat (loading ipfw_nat) to natd when both are enabled sm> . add ipdivert to required_modules - when only natd is enabled - as sm> proposed by Thomas Sandford in conf/153155 and also re kern/148928 sm> also fixing the related issue in conf/148137 (and possibly others) sm> . prefix /etc/rc.d/natd to firewall_coscripts when only natd is enabled sm> sm> /etc/rc.d/natd: sm> . seems nothing is needed; has KEYWORD nostart and so should only be sm> started now by ipfw when natd - but not firewall_nat - is enabled sm> sm> /etc/rc.firewall: sm> . move firewall_nat and natd code into a function, setup_nat() sm> preferring kernel firewall_nat to natd if both are enabled sm> . couldn't resist tidying up that code to within 80 columns sm> . call setup_nat also in 'simple' ruleset, with same intent as sm> proposed in conf/148144 by David Naylor sm> . couldn't resist fixing unnecessarily long line in 'workstation' The patches look good to me, but one thing I am wondering is rc.d/natd invocation in rc.d/ipfw. When natd_enable="YES", rc.d/natd invokes the daemon after the rc.d/ipfw script eventually even if firewall_nat_enable="YES". What do you think about adding natd to REQUIRE: line of rc.d/ipfw? Although I did not test it extensively, rc.d/natd can run safely before rc.d/ipfw and using REQUIRE is reasonable instead of using $firewall_coscripts from a viewpoint of the rc.d framework. -- Hiroki
pgpRCFD4W4925.pgp
Description: PGP signature
