conf/167566

Hiroki Sato hrs at FreeBSD.org
Sat Oct 27 21:20:01 UTC 2012 

The following reply was made to PR conf/167566; it has been noted by GNATS.

From: Hiroki Sato <hrs at FreeBSD.org>
To: utisoft at gmail.com, bug-followup at FreeBSD.org
Cc: freebsd-rc at FreeBSD.org
Subject: Re: conf/167566
Date: Sun, 28 Oct 2012 06:10:13 +0900 (JST)

 ----Security_Multipart(Sun_Oct_28_06_10_13_2012_145)--
 Content-Type: Text/Plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 Chris Rees <utisoft at gmail.com> wrote
   in <201210271810.q9RIA1QZ069213 at freefall.freebsd.org>:
 
 ut> The following reply was made to PR conf/167566; it has been noted by GNATS.
 ut>
 ut> From: Chris Rees <utisoft at gmail.com>
 ut> To: bug-followup at freebsd.org
 ut> Cc:
 ut> Subject: Re: conf/167566
 ut> Date: Sat, 27 Oct 2012 19:05:23 +0100
 ut>
 ut>  On 27 October 2012 18:36, Hiroki Sato <hrs at freebsd.org> wrote:
 ut>  > Chris Rees <utisoft at gmail.com> wrote
 ut>  >   in <201210252030.q9PKU1sK001139 at freefall.freebsd.org>:
 ut>  >
 ut>  > ut> The following reply was made to PR conf/167566; it has been noted by GNATS.
 ut>  > ut>
 ut>  > ut> From: Chris Rees <utisoft at gmail.com>
 ut>  > ut> To: bug-followup at freebsd.org
 ut>  > ut> Cc:
 ut>  > ut> Subject: Re: conf/167566
 ut>  > ut> Date: Thu, 25 Oct 2012 21:24:51 +0100
 ut>  > ut>
 ut>  > ut>  The correct fix would be to add REQUIRE: natd to ipfw.
 ut>  > ut>
 ut>  > ut>  http://www.bayofrum.net/~crees/patches/167566.diff
 ut>  > ut>
 ut>  > ut>  Please would someone take a look?
 ut>  >
 ut>  >  I think ipdivert module should be loaded in the ipfw script when
 ut>  >  natd_enable=YES because ipfw_nat is loaded in that way.  Can you (or
 ut>  >  anyone) test the patch at
 ut>  >  http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121027-1.diff ?
 ut>
 ut>  Looking at the situation more closely with your hint, how about making
 ut>  the required_modules only conditional on firewall_nat_enable?  If ipfw
 ut>  continues to run before nat then the checkyesno natd_enable is
 ut>  actually harmful because it makes us assume that the module is loaded,
 ut>  when it actually isn't yet.
 
  Which module do you refer in "...the module is loaded, ...",
  ipfw_nat.ko or ipdivert.ko?
 
  In my understanding the problem occurs only when ipfw attempts to
  load firewall rules including a "divert" directive and ipdivert.ko is
  not loaded at that time.  natd(8) also requires ipdivert.ko, but
  rc.d/natd already has required_modules="ipdivert".
  firewall_nat_enable is a knob for in-kernel NAT (this requires
  ipfw_nat.ko), so more orthogonal way would be like the following
  patch:
 
  http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121028-1.diff
 
  It is still unclear to me what is harmful with "checkyesno
  natd_enable" here.  Can you elaborate it a little more?
 
 -- Hiroki
 
 ----Security_Multipart(Sun_Oct_28_06_10_13_2012_145)--
 Content-Type: application/pgp-signature
 Content-Transfer-Encoding: 7bit
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (FreeBSD)
 
 iEYEABECAAYFAlCMTbUACgkQTyzT2CeTzy3TiACfQHAupRALwGSpL8AvrLj54H55
 bZwAn0ZvatrAAIHxOZPFBPt6Bs+YOy1E
 =M9VI
 -----END PGP SIGNATURE-----
 
 ----Security_Multipart(Sun_Oct_28_06_10_13_2012_145)----

More information about the freebsd-rc mailing list