Re: conf/167566

[Hiroki Sato]

Chris Rees <utis...@gmail.com> wrote
  in <201210271810.q9ria1qz069...@freefall.freebsd.org>:

ut> The following reply was made to PR conf/167566; it has been noted by GNATS.
ut>
ut> From: Chris Rees <utis...@gmail.com>
ut> To: bug-follo...@freebsd.org
ut> Cc:
ut> Subject: Re: conf/167566
ut> Date: Sat, 27 Oct 2012 19:05:23 +0100
ut>
ut>  On 27 October 2012 18:36, Hiroki Sato <h...@freebsd.org> wrote:
ut>  > Chris Rees <utis...@gmail.com> wrote
ut>  >   in <201210252030.q9pku1sk001...@freefall.freebsd.org>:
ut>  >
ut>  > ut> The following reply was made to PR conf/167566; it has been noted by 
GNATS.
ut>  > ut>
ut>  > ut> From: Chris Rees <utis...@gmail.com>
ut>  > ut> To: bug-follo...@freebsd.org
ut>  > ut> Cc:
ut>  > ut> Subject: Re: conf/167566
ut>  > ut> Date: Thu, 25 Oct 2012 21:24:51 +0100
ut>  > ut>
ut>  > ut>  The correct fix would be to add REQUIRE: natd to ipfw.
ut>  > ut>
ut>  > ut>  http://www.bayofrum.net/~crees/patches/167566.diff
ut>  > ut>
ut>  > ut>  Please would someone take a look?
ut>  >
ut>  >  I think ipdivert module should be loaded in the ipfw script when
ut>  >  natd_enable=YES because ipfw_nat is loaded in that way.  Can you (or
ut>  >  anyone) test the patch at
ut>  >  http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121027-1.diff ?
ut>
ut>  Looking at the situation more closely with your hint, how about making
ut>  the required_modules only conditional on firewall_nat_enable?  If ipfw
ut>  continues to run before nat then the checkyesno natd_enable is
ut>  actually harmful because it makes us assume that the module is loaded,
ut>  when it actually isn't yet.

 Which module do you refer in "...the module is loaded, ...",
 ipfw_nat.ko or ipdivert.ko?

 In my understanding the problem occurs only when ipfw attempts to
 load firewall rules including a "divert" directive and ipdivert.ko is
 not loaded at that time.  natd(8) also requires ipdivert.ko, but
 rc.d/natd already has required_modules="ipdivert".
 firewall_nat_enable is a knob for in-kernel NAT (this requires
 ipfw_nat.ko), so more orthogonal way would be like the following
 patch:

 http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121028-1.diff

 It is still unclear to me what is harmful with "checkyesno
 natd_enable" here.  Can you elaborate it a little more?

-- Hiroki

pgp2dThIpGFig.pgp
Description: PGP signature