conf/167566
Chris Rees
utisoft at gmail.com
Sat Oct 27 21:30:01 UTC 2012
The following reply was made to PR conf/167566; it has been noted by GNATS.
From: Chris Rees <utisoft at gmail.com>
To: bug-followup at freebsd.org
Cc:
Subject: Re: conf/167566
Date: Sat, 27 Oct 2012 22:29:03 +0100
> Which module do you refer in "...the module is loaded, ...",
> ipfw_nat.ko or ipdivert.ko?
>
> In my understanding the problem occurs only when ipfw attempts to
> load firewall rules including a "divert" directive and ipdivert.ko is
> not loaded at that time. natd(8) also requires ipdivert.ko, but
> rc.d/natd already has required_modules="ipdivert".
> firewall_nat_enable is a knob for in-kernel NAT (this requires
> ipfw_nat.ko), so more orthogonal way would be like the following
> patch:
>
> http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121028-1.diff
>
> It is still unclear to me what is harmful with "checkyesno
> natd_enable" here. Can you elaborate it a little more?
Check rcorder:
[crees at pegasus]~% rcorder /etc/rc.d/* | grep -E 'natd|ipfw'
/etc/rc.d/ipfw
/etc/rc.d/natd
That means that natd doesn't run until after ipfw. This means that on
boot, when ipfw runs, neither ipfw_nat nor ipdivert are installed,
*regardless of the state of natd_enable*.
Therefore, checkyesno natd_enable does not guarantee that either
ipfw_nat or ipdivert is loaded *at the time rc.d/ipfw is run*.
Chris
More information about the freebsd-rc
mailing list