From nobody@FreeBSD.org  Sun Jul 25 13:29:30 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B3C80106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 Jul 2010 13:29:30 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id C832C8FC1A
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 Jul 2010 13:29:30 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o6PDTUVO031770
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 Jul 2010 13:29:30 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o6PDTUEZ031768;
	Sun, 25 Jul 2010 13:29:30 GMT
	(envelope-from nobody)
Message-Id: <201007251329.o6PDTUEZ031768@www.freebsd.org>
Date: Sun, 25 Jul 2010 13:29:30 GMT
From: Fmyoen <fmyoen@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Problem with loading of ipfw NAT rules during system startup
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         148928
>Category:       kern
>Synopsis:       [ipfw] Problem with loading of ipfw NAT rules during system startup
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    hrs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jul 25 13:30:06 UTC 2010
>Closed-Date:    
>Last-Modified:  Thu Feb 16 12:10:10 UTC 2012
>Originator:     Fmyoen
>Release:        8.1-RELEASE
>Organization:
Fmyoen
>Environment:
FreeBSD ... 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:55:53 UTC 2010     root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
It looks like during system startup (in some setups?) ipdivet.ko kernel module loads later than the default /etc/rc.firewall script executes, and thus script fails to properly add NAT related ipfw rules. In my case it was this rule:

  if [ -n "${natd_interface}" ]; then
    ${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
  fi

This results in:

  ipfw: getsockopt(IP_FW_ADD): Invalid argument

So after every reboot I should manually run sh /etc/rc.firewall to flush and add ipfw rules once again. I've got this problem at least on two my PCs and at least one guy has similar problem as reported here http://www.opennet.ru/openforum/vsluhforumID3/69154.html#26.

Here is parts of my configuration files although I doubt it would help:

rc.conf:

  ifconfig_vr1="dhcp"
  gateway_enable="YES"

  # IPFW
  firewall_enable="YES"
  firewall_type="OPEN"

  # NAT
  natd_program="/sbin/natd"
  natd_enable="YES"
  natd_interface="vr1"
  natd_flags="-m"

sysctl.conf:

  net.inet.ip.fw.one_pass=0
>How-To-Repeat:
Reboot PC.
>Fix:
echo 'ipdivert_load="YES"' >> /boot/loader.conf causes normal rule execution during startup.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Jul 25 17:48:11 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148928 

From: Thomas Sandford <freebsduser@paradisegreen.co.uk>
To: bug-followup@FreeBSD.org, fmyoen@gmail.com
Cc:  
Subject: Re: kern/148928: [ipfw] Problem with loading of ipfw NAT rules during
 system startup
Date: Sun, 12 Sep 2010 19:24:39 +0100

 The problem seems to be that ipdivert.ko is not loaded prior to the 
 /etc/rc.d/ipfw script being run.
 
 /etc/rc.d/natd _does_ load this module so restarting the firewall after 
 boot sequence is complete works.
 
 I've fixed this on my own system by adding
 === cut here 8<===
          if checkyesno natd_enable; then
                  required_modules="$required_modules ipdivert"
          fi
 === cut here 8<===
 at the end of the ipfw_prestart() function in /etc/rc.d/ipfw
 
 This appears to be a regression between the "out of the box" states for 
 8.0-RELEASE and 8.1-RELEASE.
Responsible-Changed-From-To: freebsd-ipfw->hrs 
Responsible-Changed-By: hrs 
Responsible-Changed-When: Wed Jan 5 01:05:33 UTC 2011 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148928 

From: Mykola Dzham <i@levsha.me>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/148928: Problem with loading of ipfw NAT rules during
 system startup
Date: Thu, 16 Feb 2012 13:49:34 +0200

 --NMuMz9nt05w80d4+
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Attached patch fixes problem (patch is same as solution from Thomas
 Sandford)
 
 --=20
 LEFT-(UANIC|RIPE)
 JID: levsha@jabber.net.ua
 PGP fingerprint: 1BCD 7C80 2E04 7282 C944  B0E0 7E67 619E 4E72 9280
 
 --NMuMz9nt05w80d4+
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="ipfw_natd.patch"
 Content-Transfer-Encoding: quoted-printable
 
 Index: etc/rc.d/ipfw
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- etc/rc.d/ipfw	(revision 231819)
 +++ etc/rc.d/ipfw	(working copy)
 @@ -31,6 +31,10 @@
  			required_modules=3D"$required_modules ipfw_nat"
  		fi
  	fi
 +
 +	if checkyesno natd_enable; then
 +		required_modules=3D"$required_modules ipdivert"
 +	fi
  }
 =20
  ipfw_start()
 
 --NMuMz9nt05w80d4+--
>Unformatted:
