Bug 148928 - [ipfw] Problem with loading of ipfw NAT rules during system startup
Summary: [ipfw] Problem with loading of ipfw NAT rules during system startup
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 8.1-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-07-25 14:30 UTC by fmyoen
Modified: 2017-12-31 22:32 UTC (History)
0 users

See Also:

Attachments
ipfw_natd.patch (360 bytes, patch)
2012-02-16 11:49 UTC, Mykola Dzham 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description fmyoen 2010-07-25 14:30:06 UTC 
It looks like during system startup (in some setups?) ipdivet.ko kernel module loads later than the default /etc/rc.firewall script executes, and thus script fails to properly add NAT related ipfw rules. In my case it was this rule:

  if [ -n "${natd_interface}" ]; then
    ${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
  fi

This results in:

  ipfw: getsockopt(IP_FW_ADD): Invalid argument

So after every reboot I should manually run sh /etc/rc.firewall to flush and add ipfw rules once again. I've got this problem at least on two my PCs and at least one guy has similar problem as reported here http://www.opennet.ru/openforum/vsluhforumID3/69154.html#26.

Here is parts of my configuration files although I doubt it would help:

rc.conf:

  ifconfig_vr1="dhcp"
  gateway_enable="YES"

  # IPFW
  firewall_enable="YES"
  firewall_type="OPEN"

  # NAT
  natd_program="/sbin/natd"
  natd_enable="YES"
  natd_interface="vr1"
  natd_flags="-m"

sysctl.conf:

  net.inet.ip.fw.one_pass=0

Fix: 

echo 'ipdivert_load="YES"' >> /boot/loader.conf causes normal rule execution during startup.
How-To-Repeat: Reboot PC.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2010-07-25 18:48:11 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-ipfw

Over to maintainer(s).
Comment 2 Thomas Sandford 2010-09-12 19:24:39 UTC 
The problem seems to be that ipdivert.ko is not loaded prior to the 
/etc/rc.d/ipfw script being run.

/etc/rc.d/natd _does_ load this module so restarting the firewall after 
boot sequence is complete works.

I've fixed this on my own system by adding
=== cut here 8<===
         if checkyesno natd_enable; then
                 required_modules="$required_modules ipdivert"
         fi
=== cut here 8<===
at the end of the ipfw_prestart() function in /etc/rc.d/ipfw

This appears to be a regression between the "out of the box" states for 
8.0-RELEASE and 8.1-RELEASE.
Comment 3 Hiroki Sato freebsd_committer freebsd_triage 2011-01-05 01:05:33 UTC 
Responsible Changed
From-To: freebsd-ipfw->hrs

Take.
Comment 4 Mykola Dzham 2012-02-16 11:49:34 UTC 
Attached patch fixes problem (patch is same as solution from Thomas
Sandford)

-- 
LEFT-(UANIC|RIPE)
JID: levsha@jabber.net.ua
PGP fingerprint: 1BCD 7C80 2E04 7282 C944  B0E0 7E67 619E 4E72 9280
Comment 5 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 08:00:30 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped