conf/167566

Hiroki Sato hrs at FreeBSD.org
Sat Oct 27 21:50:01 UTC 2012 

The following reply was made to PR conf/167566; it has been noted by GNATS.

From: Hiroki Sato <hrs at FreeBSD.org>
To: utisoft at gmail.com, bug-followup at FreeBSD.org
Cc: freebsd-rc at FreeBSD.org
Subject: Re: conf/167566
Date: Sun, 28 Oct 2012 06:47:01 +0900 (JST)

 ----Security_Multipart(Sun_Oct_28_06_47_01_2012_365)--
 Content-Type: Text/Plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 Chris Rees <utisoft at gmail.com> wrote
   in <201210272130.q9RLU1C8085928 at freefall.freebsd.org>:
 
 ut> The following reply was made to PR conf/167566; it has been noted by GNATS.
 ut>
 ut> From: Chris Rees <utisoft at gmail.com>
 ut> To: bug-followup at freebsd.org
 ut> Cc:
 ut> Subject: Re: conf/167566
 ut> Date: Sat, 27 Oct 2012 22:29:03 +0100
 ut>
 ut>  >  Which module do you refer in "...the module is loaded, ...",
 ut>  >  ipfw_nat.ko or ipdivert.ko?
 ut>  >
 ut>  >  In my understanding the problem occurs only when ipfw attempts to
 ut>  >  load firewall rules including a "divert" directive and ipdivert.ko is
 ut>  >  not loaded at that time.  natd(8) also requires ipdivert.ko, but
 ut>  >  rc.d/natd already has required_modules="ipdivert".
 ut>  >  firewall_nat_enable is a knob for in-kernel NAT (this requires
 ut>  >  ipfw_nat.ko), so more orthogonal way would be like the following
 ut>  >  patch:
 ut>  >
 ut>  >  http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121028-1.diff
 ut>  >
 ut>  >  It is still unclear to me what is harmful with "checkyesno
 ut>  >  natd_enable" here.  Can you elaborate it a little more?
 ut>
 ut>  Check rcorder:
 ut>
 ut>  [crees at pegasus]~% rcorder /etc/rc.d/* | grep -E 'natd|ipfw'
 ut>  /etc/rc.d/ipfw
 ut>  /etc/rc.d/natd
 ut>
 ut>  That means that natd doesn't run until after ipfw.  This means that on
 ut>  boot, when ipfw runs, neither ipfw_nat nor ipdivert are installed,
 ut>  *regardless of the state of natd_enable*.
 
  The rc.d/ipfw script has $required_modules and the modules listed
  there are installed before ipfw(8) runs.  It has nothing to do with
  rc.d/natd and its order even if it uses "checkyesno natd_enable".
  Why do you think these modules are not loaded when rc.d/ipfw runs?
 
 ut>  Therefore, checkyesno natd_enable does not guarantee that either
 ut>  ipfw_nat or ipdivert is loaded *at the time rc.d/ipfw is run*.
 
 -- Hiroki
 
 ----Security_Multipart(Sun_Oct_28_06_47_01_2012_365)--
 Content-Type: application/pgp-signature
 Content-Transfer-Encoding: 7bit
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (FreeBSD)
 
 iEYEABECAAYFAlCMVlUACgkQTyzT2CeTzy3IVACeN4UjO9Ad6fa3CNDSTuPqdkmc
 U2YAnjymgAqHiHxR5M8/a0V8eSyRtsDM
 =Sh/O
 -----END PGP SIGNATURE-----
 
 ----Security_Multipart(Sun_Oct_28_06_47_01_2012_365)----

More information about the freebsd-rc mailing list