NAT issue in 8.1

Alan Hicks alan at p-o.co.uk
Tue Aug 10 15:54:34 UTC 2010 

Having upgraded to Release-8.1, there appears to be an issue with 
network address translation where a newly booted machine fails to setup 
nat with the error 'ipfw: getsockopt(IP_FW_ADD): Invalid argument'

Box has two interfaces em0 and xl0 (Dell PowerEdge 1600SC)

rc.conf
ifconfig_xl0="inet 192.168.202.5 netmask 255.255.255.0"
ifconfig_em0="inet 192.168.0.2 netmask 255.255.255.0"
defaultrouter="192.168.0.1"
firewall_enable="YES"
firewall_type="open"
firewall_logging="yes"
natd_enable="YES"
natd_interface="em0"

Boot excerpt from console, typed as it does not make it to 
/var/log/messages so apologies for any typo's

add net default: gateway 192.168.0.1
Additional routing options: IP gateway=YES
Starting devd.
ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based 
forwarding disabled, default to deny, logging disabled
load_dn_sched dn_sched FIFO loaded
load_dn_sched dn_sched QFQ loaded
load_dn_sched dn_sched RR loaded
load_dn_sched dn_sched WF2Q+ loaded
load_dn_sched dn_sched PRIO loaded
flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
ipfw: getsockopt(IP_FW_ADD): Invalid argument
65000 allow ip from any to any
Firewall rules loaded.
Firewall logging enabled.
Starting natd.
Loading /lib/libalias_cuseeme.so
Loading /lib/libalias_ftp.so
Loading /lib/libalias_irc.so
Loading /lib/libalias_nbt.so
Loading /lib/libalias_pptp.so
Loading /lib/libalias_skinny.so
Loading /lib/libalias_smedia.so
Aug 10 12:02:53 natd[869]: Aliasing to 192.168.0.2, mtu 1500 bytes

Although all appears to be ok, machines on the xl0 192.168.202.0/24 
subnet can't see the internet.  Running /etc/rc.firewall manually fixes 
the issue.

The machine was upgraded from 8.0 using unmodified cvs sources using 
buildkernel, buildworld, installworld, installkernel mergemaster.

Any help appreciated.
Alan

More information about the freebsd-stable mailing list