REQ: ipfw NAT Support

[fsbruva]

Given the power of jails, it would be nice if the ipfw nat kernel module was included. This is the only workable way to allow multiple jails to live at a single address and all play nicely. By using ipfw nat rules, the host can act as a router between the physical network and the jailed network.

[alexey123]

NAS4free have ipfw.
You can configure static rules in tab Network|Firewall. Also work dynamic rules.
You can check

Code: Select all

# ipfw show

[fsbruva]

.... sigh.....

I didn't ask for ipfw. I asked to enable a specific kernel functionality to allow ipfw to carry out NAT within the kernel.

If you attempt to create a NAT rule using ipfw, you receive an error,

Code: Select all

kernel: IP_FW_NAT_GET_LOG: ipfw_nat not present, please load it

Attempts to enable NAT via rc.conf, by adding:

Code: Select all

firewall_enable="YES"
firewall_nat_enable="YES"

Results in the hilariously ironic set of messages during boot:

Code: Select all

ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rule-based forwarding disabled, default to accept, logging disabled
kldload: can't load ipfw_nat: No such file or directory
/etc/rc: WARNING: Unable to load kernel module ipfw_nat

Ascertaining the kernel options that the stock kernel was built with:

Code: Select all

sysctl -a | grep IPF
options	IPFIREWALL_DEFAULT_TO_ACCEPT
options	IPFIREWALL_VERBOSE_LIMIT=5
options	IPFIREWALL_VERBOSE
options	IPFIREWALL

Verified at: http://sourceforge.net/p/nas4free/code/ ... FREE-amd64

Here are the additional kernel modules needed to do kernel nat:

Code: Select all

options         IPDIVERT
   options         IPFIREWALL_FORWARD
   options         DUMMYNET
   options         IPFIREWALL_NAT          #ipfw kernel nat support
   options         LIBALIAS

Another option is to have those modules pre-built, included in the embedded image and available as part of the firewall config. I attempted this, but got a message about libalias depending on kernal : missing or mismatch.

[alexey123]

OK, I understand you now. And I subscribe to your request.
Also
PLS add any dhcp server.

[majortombelgium]

Hey,

Nas4free looks super ok to me, except, one thing => this NAT feature would really be useful: I also have a box with 2 network interfaces that i want to use to share my internet connection. So I think i need this too(masquerading)

[alexey123]

When I execute kldload ipfw_nat I receive if I put ipfw_nat into folder /boot/modules I receive

kldload: can't load /boot/modules/ipfw_nat.ko: No such file or directory

Ok, I execute dmesg and:

KLD ipfw_nat.ko: depends on libalias - not available or version mismatch

I copy libalias.ko into /boot/modules/ and WOW

Code: Select all

kldload /boot/modules/ipfw_nat.ko

# kldstat
Id Refs Address Size Name
1 29 0x80400000 1201b2c kernel
2 1 0x81602000 11f48 isboot.ko
3 1 0x868f8000 4000 ng_socket.ko
4 1 0x868fc000 b000 netgraph.ko
5 1 0x86a13000 2000 green_saver.ko
6 1 0x86a68000 4000 nullfs.ko
7 1 0x86f74000 175000 zfs.ko
8 1 0x870e9000 3000 opensolaris.ko
9 1 0x8724f000 8000 aio.ko
10 1 0x875f7000 4000 ipfw_nat.ko
11 1 0x875fb000 d000 libalias.ko

But I have to check - something strange is going on with memory

[raulfg3]

Given the power of jails, it would be nice if the ipfw nat kernel module was included. This is the only workable way to allow multiple jails to live at a single address and all play nicely. By using ipfw nat rules, the host can act as a router between the physical network and the jailed network.

+1