MFC the following revisions:

src/etc/defaults/rc.conf 1.323 src/etc/rc.firewall 1.54 src/share/man/man5/rc.conf.5 1.333 (by chinsan) Original log: Improve kernel NAT support in rc.firewall - Allow IP in firewall_nat_interface, just like natd_interface - Allow additional configuration parameters passed to ipfw via firewall_nat_flags - Document firewall_nat_* in defaults/rc.conf Tested by: Albert B. Wang <abwang at gmail.com> MFC after: 1 month
coollei · Feb 20, 2008 · 166e861 · 166e861
1 parent d887f43
commit 166e861
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 2 deletions.
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
@@ -119,6 +119,9 @@ firewall_logdeny="NO"		# Set to YES to log default denied incoming
 firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports
 				#  for which denied incoming packets are not
 				#  logged.
+firewall_nat_enable="NO"	# Enable kernel NAT (if firewall_enable == YES)
+firewall_nat_interface=""	# Public interface or IPaddress to use
+firewall_nat_flags=""		# Additional configuration parameters
 ip_portrange_first="NO"		# Set first dynamically allocated port
 ip_portrange_last="NO"		# Set last dynamically allocated port
 ike_enable="NO"			# Enable IKE daemon (usually racoon or isakmpd)

diff --git a/etc/rc.firewall b/etc/rc.firewall
@@ -131,7 +131,13 @@ case ${firewall_type} in
 	case ${firewall_nat_enable} in
 	[Yy][Ee][Ss])
 		if [ -n "${firewall_nat_interface}" ]; then
-			${fwcmd} nat 123 config if ${firewall_nat_interface} log
+			if echo "${firewall_nat_interface}" | \
+				grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
+				firewall_nat_flags="ip ${firewall_nat_interface} ${firewall_nat_flags}"
+			else
+				firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}"
+			fi
+			${fwcmd} nat 123 config log ${firewall_nat_flags}
 			${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
 		fi
 		;;

diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5
@@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd January 12, 2008
+.Dd January 23, 2008
 .Dt RC.CONF 5
 .Os
 .Sh NAME
@@ -485,6 +485,31 @@ specifies a filename.
 .Pq Vt str
 The IPv6 equivalent of
 .Va firewall_flags .
+.\" ----- firewall_nat_enable setting --------------------------------
+.It Va firewall_nat_enable
+.Pq Vt bool
+The
+.Xr ipfw 8
+equivalent of
+.Va natd_enable .
+Setting this to
+.Dq Li YES
+enables kernel NAT.
+.Va firewall_enable
+must also be set to
+.Dq Li YES .
+.It Va firewall_nat_interface
+.Pq Vt str
+The
+.Xr ipfw 8
+equivalent of
+.Va natd_interface .
+This is the name of the public interface or IP address on which
+kernel NAT should run.
+.It Va firewall_nat_flags
+.Pq Vt str
+Additional configuration parameters for kernel NAT should be placed here.
+.\" -------------------------------------------------------------------
 .It Va natd_program
 .Pq Vt str
 Path to