natd starting after firewall rules are loaded

Sun Apr 17 16:54:08 UTC 2011

On Sun, 17 Apr 2011, J. Hellenthal wrote:
 > On Sun, Apr 17, 2011 at 03:36:40PM +1000, Ian Smith wrote:
 > >On Sat, 16 Apr 2011, rondzierwa at comcast.net wrote:
 > >
 > > > After the firewall rules are loaded, the rc script then loads natd, 
 > > > Once the system is up, i can ipfw list and the divert command is, 
 > > > in fact, not there, but by this time natd is running. If I run the rc.firewall 
 > > > script interactively, it completes successfully and the divert rule 
 > > > is in the list, and everyone is happy again. 
 > >
 > >There are several outstanding PRs about this and related issues; copying 
 > >hrs@ who grabbed these PRs a while ago.  The quick fix is to add
 > >
 > >ipdivert_load="YES"
 > >
 > >to /boot/loader.conf so it's there before ipfw & natd start.  You still 
 > >need ipfw_enable=YES and natd_enable=YES in /etc/rc.conf
 > >
 > > > In 4.9 there used to be a rc.network script that started natd before 
 > > > it loaded the firewall rules. I do not see it in 8.2 anymore, instead 
 > > > it looks like rc simply runs the scripts in rc.d alphabetically, so natd 
 > > > comes after ipfw. 
 > >
 > >Not alphabetically but according to rcorder(8).  /etc/rc.d/natd has 
 > >keyword NOSTART and is now only run when /etc/rc.d/ipfw invokes it, but 

Sorry, it has 'KEYWORD: nostart nojail', so /etc/rc.d/natd is not run by 
rc on system (or jail) startup, enabled or not.

 > >as you've seen, ipfw's attempt to install divert rule(s) fails for want 
 > >of ipdivert.ko - which /etc/rc.d/natd does load, but too late.
 [..]

 > Add the following to change the order of the scripts in which they run.
 > 
 > /etc/rc.d/natd:
 > # BEFORE: ipfw
 > 
 > /etc/rc.d/ipfw:
 > # AFTER: natd
 > 
 > And that will change the order in which the scripts execute. whether
 > this has any implications on other running daemons you will have to
 > check but as far as the rcorder(8) goes that will put ipfw executing
 > just after natd.

A solution for many ordering problems, but not this one.

It's been an ongoing tug'o'war for years, but recent consensus starts 
and stops natd from /etc/rc.d/ipfw, loading ipfw rules before starting 
natd and other 'firewall_coscripts', only then enabling the firewall; 
vice versa on stopping and so, restarting.

For this bug, ipfw just lacks requiring module ipdivert when natd is 
enabled (and firewall_nat is not enabled, but that's another issue :)

 > rcorder /etc/rc.d/*
 > [...]
 > /etc/rc.d/routed
 > /etc/rc.d/defaultroute
 > /etc/rc.d/natd
 > /etc/rc.d/ipfw
 > /etc/rc.d/netoptions
 > /etc/rc.d/NETWORKING
 > [...]

natd won't run on startup; ipfw will still run natd after ipfw rules are 
loaded but still needs ipdivert.ko loaded before loading divert rules :)

 > PS: For those with commit bits...
 > $ rcorder /etc/rc.d/ipfw
 > rcorder: requirement `ppp' in file `/etc/rc.d/ipfw' has no providers.
 > /etc/rc.d/ipfw
 > 
 > Dont know why because,
 > $ grep -n ppp /etc/rc.d/* | grep PROVIDE
 > /etc/rc.d/ppp:6:# PROVIDE: ppp

!rcorder /etc/rc.d/ipfw /etc/rc.d/ppp
rcorder: requirement `netif' in file `/etc/rc.d/ppp' has no providers.
/etc/rc.d/ppp
/etc/rc.d/ipfw

and so on .. rcorder only considers files provided as arguments.

Ron: 4.6 to 8.2 is quite a jump, maybe time to rescan the ol' Handbook?

% find /sys/ -name NOTES
/sys/conf/NOTES
/sys/amd64/conf/NOTES
/sys/i386/conf/NOTES
[..]

cheers, Ian