>Number:         167566
>Category:       conf
>Synopsis:       [rc.d] ipdivert module loading vs. ipfw rc.d order issue
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 03 19:30:12 UTC 2012
>Originator:     Dmitry Marakasov
>Release:        FreeBSD 9.0-RELEASE amd64
System: FreeBSD hades.panopticon 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 10 
01:33:18 MSK 2012 root@hades.panopticon:/usr/obj/usr/src/sys/HADES amd64

1) if ipfw divert rules are used, ipdivert module must be loaded before rules 
are added, or ipfw add'ing divert rule will fail
2) ipdivert module is loaded by rc.d/natd
3) there's nothing to make rc.d/natd executed before rc.d/ipfw, and in reality 
the order is incorrect:

% rcorder /etc/rc.d/* | grep -Ee 'ipfw|natd'

Thus, someone using natd will run into incomplete ruleset and will have to add 
ipdivert_load="YES" to /boot/loader.conf

Attached patch makes rc.d/natd run before rc.d/ipfw, so the module is 
automatcally loaded in time.


--- rc.d-natd.patch begins here ---
diff --git etc/rc.d/natd etc/rc.d/natd
index 35f17bb..fcc8920 100755
--- etc/rc.d/natd
+++ etc/rc.d/natd
@@ -5,6 +5,7 @@
 # PROVIDE: natd
 # KEYWORD: nostart nojail
+# BEFORE: ipfw
 . /etc/rc.subr
 . /etc/network.subr
--- rc.d-natd.patch ends here ---

freebsd-bugs@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

Reply via email to