Bug 30255

Summary: [PATCH] Packets reinjected by natd but denied by ipfw generates annoying errors
Product: Base System Reporter: Flemming Jacobsen <fj>
Component: miscAssignee: ru <ru>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description Flemming Jacobsen 2001-09-01 16:10:02 UTC 
When natd tries to reinject a packet which is denied by a (later) ipfw rule annoying logmessages of the form:
  natd[pid]: failed to write packet back (Permission denied)
are generated.
This patch adds an option to suppress these messages.

Fix: 

Apply patch from: http://www.batmule.dk/FreeBSD/natd.EACCES.udiff
Add "-nolog_ipfw_denied" to natd commandline
Messages suppressed.

The patch has been tested on 3 moderatly used firewalls for nearly 5+ months without any noticeable ill effects.
How-To-Repeat: Install FreeBSD on system with two network cards. Setup nat'ing.
Add an ipfw after the divert rule denying traffic.
Watch the logmessages.
Comment 1 ru freebsd_committer freebsd_triage 2001-09-25 15:24:17 UTC 
State Changed
From-To: open->closed

With my MAINTAINER hat on, I don't like this option. 

This error usually indicates a misconfigured firewall. 
It is almost always possible to write firewall rules 
that do not result in EACCES from firewall.
Comment 2 ru freebsd_committer freebsd_triage 2001-10-31 18:17:23 UTC 
State Changed
From-To: closed->open

I will reconsider introducing this option.
Comment 3 ru freebsd_committer freebsd_triage 2001-10-31 18:17:23 UTC 
Responsible Changed
From-To: freebsd-bugs->ru

I'm the maintainer of natd(8).
Comment 4 ru freebsd_committer freebsd_triage 2001-11-27 11:07:01 UTC 
State Changed
From-To: open->closed

The new option -log_ipfw_denied was introduced, 
active by default with the -verbose option.