Bug 226622 - Error when specifying multiple interfaces through firewall_nat_interface in /etc/rc.conf
Summary: Error when specifying multiple interfaces through firewall_nat_interface in /...
Status: Closed Works As Intended
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: 11.1-STABLE
Hardware: Any Any
: --- Affects Many People
Assignee: Eugene Grosbein
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2018-03-15 08:21 UTC by ev
Modified: 2018-05-02 09:19 UTC (History)
2 users (show)

See Also:


Attachments
patch for /etc/rc.firewall and /etc/defaults/rc.conf (918 bytes, application/x-zip-compressed)
2018-03-15 08:21 UTC, ev
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description ev 2018-03-15 08:21:31 UTC
Created attachment 191515 [details]
patch for /etc/rc.firewall and /etc/defaults/rc.conf

firewall_nat_interface used in "nat 123 config" and "add 50 nat 123 ip4 from any to any via", but permissible value in them are different. I suggest adding the variable firewall_nat_ip for define an ip address to use for aliasing.

/etc/rc.firewall as well changed for backward compatibility.
Comment 1 Eugene Grosbein freebsd_committer 2018-04-14 23:24:21 UTC
Please be a bit more specific and describe exact problem you have that needs a change in the code. It seems for me, it should work just fine already.
Comment 2 ev 2018-04-15 07:27:12 UTC
I have many gif interfaces to remote offices and I create internal global network. To use multiple NAT is required set firewall_nat_interface="gif*", but "gif*" can not be used in "nat 123 config" rule (return error).
Comment 3 Eugene Grosbein freebsd_committer 2018-04-15 07:48:55 UTC
(In reply to ev from comment #2)

Variables firewall_nat_* are supposed to be used with single ipfw nat instance and single interface. For more complex setups like yours, no patches are required as we already have means to apply arbitrary extensions, for example: in /etc/rc.conf:

firewall_nat_interface="1.2.3.4"

# your private extension script
firewall_coscripts="/etc/rc.firewall.local"

# your private script's configuration
firewall_nat_intmask="gif*"

Create executable script /etc/rc.firewall.local and system runs it in addition and after default system scripts:

#!/bin/sh

. /etc/rc.conf
ipfw -q delete 50
ipfw add 50 nat 123 ip4 from any to any via "$firewall_nat_intmask"
#end-of-file

Please try and respond.
Comment 4 Eugene Grosbein freebsd_committer 2018-05-02 09:19:47 UTC
Feedback timeout. Also, code changes believed unnecessary as the task can easily be solved using coscripts.