From nobody@FreeBSD.org  Tue Dec 14 19:44:57 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B512A1065672
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 14 Dec 2010 19:44:57 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (unknown [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id A2E4F8FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 14 Dec 2010 19:44:57 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id oBEJivfj045079
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 14 Dec 2010 19:44:57 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id oBEJivGQ045078;
	Tue, 14 Dec 2010 19:44:57 GMT
	(envelope-from nobody)
Message-Id: <201012141944.oBEJivGQ045078@red.freebsd.org>
Date: Tue, 14 Dec 2010 19:44:57 GMT
From: Thomas Sandford <freebsduser@paradisegreen.co.uk>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on start if nat enabled
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         153155
>Category:       conf
>Synopsis:       [PATCH] [8.2-BETA1] ipfw rules fail to load cleanly on start if nat enabled
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    hrs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Dec 14 19:50:08 UTC 2010
>Closed-Date:    
>Last-Modified:  Wed Jan 05 01:06:23 UTC 2011
>Originator:     Thomas Sandford
>Release:        FreeBSD 8.2-BETA1 i386
>Organization:
>Environment:
FreeBSD fbsd-8.2 8.2-BETA1 FreeBSD 8.2-BETA1 #0: Sun Dec 5 02:13:37 UTC 2010 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
/etc/rc.d/ipfw fails to load the ipdivert module when natd is enabled.

This causes the divert rules that /etc/rc.firewall adds in this case to fail on system boot, with the following error message displayed during ipfw rule load:
ipfw: getsockopt(IP_FW_ADD): Invalid argument

Restarting ipfw works around the problem as /etc/rc.d/natd (which is run _after_ ipfw is intialised) DOES load ipdivert.
>How-To-Repeat:
In /etc/rc.conf

===
..
natd_enable="YES"
natd_interface="em0"
firewall_enable="YES"
firewall_type="Client"
..
===
>Fix:
Apply the attached patch.

This is verified to fix the problem in 8.2-BETA1, also 8.1-RELEASE. The patched file is identical in HEAD (against which the patch has been created) and 8.2-BETA1.

Patch attached with submission follows:

Index: rc.d/ipfw
===================================================================
--- rc.d/ipfw	(revision 216439)
+++ rc.d/ipfw	(working copy)
@@ -31,6 +31,10 @@
 			required_modules="$required_modules ipfw_nat"
 		fi
 	fi
+
+	if checkyesno natd_enable; then
+		required_modules="$required_modules ipdivert"
+	fi
 }
 
 ipfw_start()


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Dec 14 20:26:08 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=153155 
Responsible-Changed-From-To: freebsd-ipfw->hrs 
Responsible-Changed-By: hrs 
Responsible-Changed-When: Wed Jan 5 01:06:05 UTC 2011 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=153155 
>Unformatted:
