From amdmi3@amdmi3.ru  Thu May  3 19:26:44 2012
Return-Path: <amdmi3@amdmi3.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 2084F1065670
	for <freebsd-gnats-submit@freebsd.org>; Thu,  3 May 2012 19:26:44 +0000 (UTC)
	(envelope-from amdmi3@amdmi3.ru)
Received: from smtp.timeweb.ru (unknown [IPv6:2a03:6f00:1::5c35:743c])
	by mx1.freebsd.org (Postfix) with ESMTP id A27678FC15
	for <freebsd-gnats-submit@freebsd.org>; Thu,  3 May 2012 19:26:43 +0000 (UTC)
Received: from [213.148.20.85] (helo=hive.panopticon)
	by smtp.timeweb.ru with esmtpsa (TLSv1:CAMELLIA256-SHA:256)
	(Exim 4.76)
	(envelope-from <amdmi3@amdmi3.ru>)
	id 1SQ1fm-0000bn-2b
	for FreeBSD-gnats-submit@freebsd.org; Thu, 03 May 2012 23:26:42 +0400
Received: from hades.panopticon (hades.panopticon [192.168.0.32])
	by hive.panopticon (Postfix) with ESMTP id D489AB84E
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  3 May 2012 23:26:41 +0400 (MSK)
Received: by hades.panopticon (Postfix, from userid 1000)
	id C77AFDED; Thu,  3 May 2012 23:26:41 +0400 (MSK)
Message-Id: <20120503192641.C77AFDED@hades.panopticon>
Date: Thu,  3 May 2012 23:26:41 +0400 (MSK)
From: Dmitry Marakasov <amdmi3@FreeBSD.org>
Reply-To: Dmitry Marakasov <amdmi3@FreeBSD.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [rc.d] ipdivert module loading vs. ipfw rc.d order issue
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         167566
>Category:       conf
>Synopsis:       [rc.d] [patch] ipdivert module loading vs. ipfw rc.d order issue
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-rc
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 03 19:30:12 UTC 2012
>Closed-Date:    
>Last-Modified:  Fri Jul 12 01:20:00 UTC 2013
>Originator:     Dmitry Marakasov
>Release:        FreeBSD 9.0-RELEASE amd64
>Organization:
>Environment:
System: FreeBSD hades.panopticon 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 10 01:33:18 MSK 2012 root@hades.panopticon:/usr/obj/usr/src/sys/HADES amd64


>Description:
1) if ipfw divert rules are used, ipdivert module must be loaded before rules are added, or ipfw add'ing divert rule will fail
2) ipdivert module is loaded by rc.d/natd
3) there's nothing to make rc.d/natd executed before rc.d/ipfw, and in reality the order is incorrect:

% rcorder /etc/rc.d/* | grep -Ee 'ipfw|natd'
/etc/rc.d/ipfw
/etc/rc.d/natd

Thus, someone using natd will run into incomplete ruleset and will have to add ipdivert_load="YES" to /boot/loader.conf

Attached patch makes rc.d/natd run before rc.d/ipfw, so the module is automatcally loaded in time.

>How-To-Repeat:
>Fix:

--- rc.d-natd.patch begins here ---
diff --git etc/rc.d/natd etc/rc.d/natd
index 35f17bb..fcc8920 100755
--- etc/rc.d/natd
+++ etc/rc.d/natd
@@ -5,6 +5,7 @@
 
 # PROVIDE: natd
 # KEYWORD: nostart nojail
+# BEFORE: ipfw
 
 . /etc/rc.subr
 . /etc/network.subr
--- rc.d-natd.patch ends here ---

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-rc 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu May 3 22:36:34 UTC 2012 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=167566 

From: Chris Rees <utisoft@gmail.com>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: conf/167566
Date: Thu, 25 Oct 2012 21:24:51 +0100

 The correct fix would be to add REQUIRE: natd to ipfw.
 
 http://www.bayofrum.net/~crees/patches/167566.diff
 
 Please would someone take a look?
 
 Chris

From: Hiroki Sato <hrs@FreeBSD.org>
To: bug-followup@FreeBSD.org, utisoft@gmail.com
Cc: freebsd-rc@FreeBSD.org
Subject: Re: conf/167566
Date: Sun, 28 Oct 2012 02:36:18 +0900 (JST)

 ----Security_Multipart(Sun_Oct_28_02_36_18_2012_307)--
 Content-Type: Text/Plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 Chris Rees <utisoft@gmail.com> wrote
   in <201210252030.q9PKU1sK001139@freefall.freebsd.org>:
 
 ut> The following reply was made to PR conf/167566; it has been noted by GNATS.
 ut>
 ut> From: Chris Rees <utisoft@gmail.com>
 ut> To: bug-followup@freebsd.org
 ut> Cc:
 ut> Subject: Re: conf/167566
 ut> Date: Thu, 25 Oct 2012 21:24:51 +0100
 ut>
 ut>  The correct fix would be to add REQUIRE: natd to ipfw.
 ut>
 ut>  http://www.bayofrum.net/~crees/patches/167566.diff
 ut>
 ut>  Please would someone take a look?
 
  I think ipdivert module should be loaded in the ipfw script when
  natd_enable=YES because ipfw_nat is loaded in that way.  Can you (or
  anyone) test the patch at
  http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121027-1.diff ?
 
 -- Hiroki
 
 ----Security_Multipart(Sun_Oct_28_02_36_18_2012_307)--
 Content-Type: application/pgp-signature
 Content-Transfer-Encoding: 7bit
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (FreeBSD)
 
 iEYEABECAAYFAlCMG5IACgkQTyzT2CeTzy0v9gCdHFnKCwDRCQat2L4z5ELU24da
 2bYAoKD9NiWBhjxO275FiOGREwlY6ve9
 =je1f
 -----END PGP SIGNATURE-----
 
 ----Security_Multipart(Sun_Oct_28_02_36_18_2012_307)----

From: Chris Rees <utisoft@gmail.com>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: conf/167566
Date: Sat, 27 Oct 2012 19:05:23 +0100

 On 27 October 2012 18:36, Hiroki Sato <hrs@freebsd.org> wrote:
 > Chris Rees <utisoft@gmail.com> wrote
 >   in <201210252030.q9PKU1sK001139@freefall.freebsd.org>:
 >
 > ut> The following reply was made to PR conf/167566; it has been noted by GNATS.
 > ut>
 > ut> From: Chris Rees <utisoft@gmail.com>
 > ut> To: bug-followup@freebsd.org
 > ut> Cc:
 > ut> Subject: Re: conf/167566
 > ut> Date: Thu, 25 Oct 2012 21:24:51 +0100
 > ut>
 > ut>  The correct fix would be to add REQUIRE: natd to ipfw.
 > ut>
 > ut>  http://www.bayofrum.net/~crees/patches/167566.diff
 > ut>
 > ut>  Please would someone take a look?
 >
 >  I think ipdivert module should be loaded in the ipfw script when
 >  natd_enable=YES because ipfw_nat is loaded in that way.  Can you (or
 >  anyone) test the patch at
 >  http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121027-1.diff ?
 
 Looking at the situation more closely with your hint, how about making
 the required_modules only conditional on firewall_nat_enable?  If ipfw
 continues to run before nat then the checkyesno natd_enable is
 actually harmful because it makes us assume that the module is loaded,
 when it actually isn't yet.
 
 Chris
 
 http://www.bayofrum.net/~crees/patches/167566-1.diff

From: Hiroki Sato <hrs@FreeBSD.org>
To: utisoft@gmail.com, bug-followup@FreeBSD.org
Cc: freebsd-rc@FreeBSD.org
Subject: Re: conf/167566
Date: Sun, 28 Oct 2012 06:10:13 +0900 (JST)

 ----Security_Multipart(Sun_Oct_28_06_10_13_2012_145)--
 Content-Type: Text/Plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 Chris Rees <utisoft@gmail.com> wrote
   in <201210271810.q9RIA1QZ069213@freefall.freebsd.org>:
 
 ut> The following reply was made to PR conf/167566; it has been noted by GNATS.
 ut>
 ut> From: Chris Rees <utisoft@gmail.com>
 ut> To: bug-followup@freebsd.org
 ut> Cc:
 ut> Subject: Re: conf/167566
 ut> Date: Sat, 27 Oct 2012 19:05:23 +0100
 ut>
 ut>  On 27 October 2012 18:36, Hiroki Sato <hrs@freebsd.org> wrote:
 ut>  > Chris Rees <utisoft@gmail.com> wrote
 ut>  >   in <201210252030.q9PKU1sK001139@freefall.freebsd.org>:
 ut>  >
 ut>  > ut> The following reply was made to PR conf/167566; it has been noted by GNATS.
 ut>  > ut>
 ut>  > ut> From: Chris Rees <utisoft@gmail.com>
 ut>  > ut> To: bug-followup@freebsd.org
 ut>  > ut> Cc:
 ut>  > ut> Subject: Re: conf/167566
 ut>  > ut> Date: Thu, 25 Oct 2012 21:24:51 +0100
 ut>  > ut>
 ut>  > ut>  The correct fix would be to add REQUIRE: natd to ipfw.
 ut>  > ut>
 ut>  > ut>  http://www.bayofrum.net/~crees/patches/167566.diff
 ut>  > ut>
 ut>  > ut>  Please would someone take a look?
 ut>  >
 ut>  >  I think ipdivert module should be loaded in the ipfw script when
 ut>  >  natd_enable=YES because ipfw_nat is loaded in that way.  Can you (or
 ut>  >  anyone) test the patch at
 ut>  >  http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121027-1.diff ?
 ut>
 ut>  Looking at the situation more closely with your hint, how about making
 ut>  the required_modules only conditional on firewall_nat_enable?  If ipfw
 ut>  continues to run before nat then the checkyesno natd_enable is
 ut>  actually harmful because it makes us assume that the module is loaded,
 ut>  when it actually isn't yet.
 
  Which module do you refer in "...the module is loaded, ...",
  ipfw_nat.ko or ipdivert.ko?
 
  In my understanding the problem occurs only when ipfw attempts to
  load firewall rules including a "divert" directive and ipdivert.ko is
  not loaded at that time.  natd(8) also requires ipdivert.ko, but
  rc.d/natd already has required_modules="ipdivert".
  firewall_nat_enable is a knob for in-kernel NAT (this requires
  ipfw_nat.ko), so more orthogonal way would be like the following
  patch:
 
  http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121028-1.diff
 
  It is still unclear to me what is harmful with "checkyesno
  natd_enable" here.  Can you elaborate it a little more?
 
 -- Hiroki
 
 ----Security_Multipart(Sun_Oct_28_06_10_13_2012_145)--
 Content-Type: application/pgp-signature
 Content-Transfer-Encoding: 7bit
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (FreeBSD)
 
 iEYEABECAAYFAlCMTbUACgkQTyzT2CeTzy3TiACfQHAupRALwGSpL8AvrLj54H55
 bZwAn0ZvatrAAIHxOZPFBPt6Bs+YOy1E
 =M9VI
 -----END PGP SIGNATURE-----
 
 ----Security_Multipart(Sun_Oct_28_06_10_13_2012_145)----

From: Chris Rees <utisoft@gmail.com>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: conf/167566
Date: Sat, 27 Oct 2012 22:29:03 +0100

 >  Which module do you refer in "...the module is loaded, ...",
 >  ipfw_nat.ko or ipdivert.ko?
 >
 >  In my understanding the problem occurs only when ipfw attempts to
 >  load firewall rules including a "divert" directive and ipdivert.ko is
 >  not loaded at that time.  natd(8) also requires ipdivert.ko, but
 >  rc.d/natd already has required_modules="ipdivert".
 >  firewall_nat_enable is a knob for in-kernel NAT (this requires
 >  ipfw_nat.ko), so more orthogonal way would be like the following
 >  patch:
 >
 >  http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121028-1.diff
 >
 >  It is still unclear to me what is harmful with "checkyesno
 >  natd_enable" here.  Can you elaborate it a little more?
 
 Check rcorder:
 
 [crees@pegasus]~% rcorder /etc/rc.d/* | grep -E 'natd|ipfw'
 /etc/rc.d/ipfw
 /etc/rc.d/natd
 
 That means that natd doesn't run until after ipfw.  This means that on
 boot, when ipfw runs, neither ipfw_nat nor ipdivert are installed,
 *regardless of the state of natd_enable*.
 
 Therefore, checkyesno natd_enable does not guarantee that either
 ipfw_nat or ipdivert is loaded *at the time rc.d/ipfw is run*.
 
 Chris

From: Hiroki Sato <hrs@FreeBSD.org>
To: utisoft@gmail.com, bug-followup@FreeBSD.org
Cc: freebsd-rc@FreeBSD.org
Subject: Re: conf/167566
Date: Sun, 28 Oct 2012 06:47:01 +0900 (JST)

 ----Security_Multipart(Sun_Oct_28_06_47_01_2012_365)--
 Content-Type: Text/Plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 Chris Rees <utisoft@gmail.com> wrote
   in <201210272130.q9RLU1C8085928@freefall.freebsd.org>:
 
 ut> The following reply was made to PR conf/167566; it has been noted by GNATS.
 ut>
 ut> From: Chris Rees <utisoft@gmail.com>
 ut> To: bug-followup@freebsd.org
 ut> Cc:
 ut> Subject: Re: conf/167566
 ut> Date: Sat, 27 Oct 2012 22:29:03 +0100
 ut>
 ut>  >  Which module do you refer in "...the module is loaded, ...",
 ut>  >  ipfw_nat.ko or ipdivert.ko?
 ut>  >
 ut>  >  In my understanding the problem occurs only when ipfw attempts to
 ut>  >  load firewall rules including a "divert" directive and ipdivert.ko is
 ut>  >  not loaded at that time.  natd(8) also requires ipdivert.ko, but
 ut>  >  rc.d/natd already has required_modules="ipdivert".
 ut>  >  firewall_nat_enable is a knob for in-kernel NAT (this requires
 ut>  >  ipfw_nat.ko), so more orthogonal way would be like the following
 ut>  >  patch:
 ut>  >
 ut>  >  http://people.allbsd.org/~hrs/FreeBSD/ipfw.20121028-1.diff
 ut>  >
 ut>  >  It is still unclear to me what is harmful with "checkyesno
 ut>  >  natd_enable" here.  Can you elaborate it a little more?
 ut>
 ut>  Check rcorder:
 ut>
 ut>  [crees@pegasus]~% rcorder /etc/rc.d/* | grep -E 'natd|ipfw'
 ut>  /etc/rc.d/ipfw
 ut>  /etc/rc.d/natd
 ut>
 ut>  That means that natd doesn't run until after ipfw.  This means that on
 ut>  boot, when ipfw runs, neither ipfw_nat nor ipdivert are installed,
 ut>  *regardless of the state of natd_enable*.
 
  The rc.d/ipfw script has $required_modules and the modules listed
  there are installed before ipfw(8) runs.  It has nothing to do with
  rc.d/natd and its order even if it uses "checkyesno natd_enable".
  Why do you think these modules are not loaded when rc.d/ipfw runs?
 
 ut>  Therefore, checkyesno natd_enable does not guarantee that either
 ut>  ipfw_nat or ipdivert is loaded *at the time rc.d/ipfw is run*.
 
 -- Hiroki
 
 ----Security_Multipart(Sun_Oct_28_06_47_01_2012_365)--
 Content-Type: application/pgp-signature
 Content-Transfer-Encoding: 7bit
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (FreeBSD)
 
 iEYEABECAAYFAlCMVlUACgkQTyzT2CeTzy3IVACeN4UjO9Ad6fa3CNDSTuPqdkmc
 U2YAnjymgAqHiHxR5M8/a0V8eSyRtsDM
 =Sh/O
 -----END PGP SIGNATURE-----
 
 ----Security_Multipart(Sun_Oct_28_06_47_01_2012_365)----

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/167566: commit references a PR
Date: Fri, 12 Jul 2013 01:12:45 +0000 (UTC)

 Author: hrs
 Date: Fri Jul 12 01:12:28 2013
 New Revision: 253232
 URL: http://svnweb.freebsd.org/changeset/base/253232
 
 Log:
   MFC 242301:
   
   Load ipdivert.ko when natd_enable=YES.
   
   PR:	conf/167566
 
 Modified:
   stable/9/etc/rc.d/ipfw
 Directory Properties:
   stable/9/etc/rc.d/   (props changed)
 
 Modified: stable/9/etc/rc.d/ipfw
 ==============================================================================
 --- stable/9/etc/rc.d/ipfw	Fri Jul 12 01:08:12 2013	(r253231)
 +++ stable/9/etc/rc.d/ipfw	Fri Jul 12 01:12:28 2013	(r253232)
 @@ -25,11 +25,11 @@ ipfw_prestart()
  	if checkyesno dummynet_enable; then
  		required_modules="$required_modules dummynet"
  	fi
 -
 +	if checkyesno natd_enable; then
 +		required_modules="$required_modules ipdivert"
 +	fi
  	if checkyesno firewall_nat_enable; then
 -		if ! checkyesno natd_enable; then
 -			required_modules="$required_modules ipfw_nat"
 -		fi
 +		required_modules="$required_modules ipfw_nat"
  	fi
  }
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
