From 0db606a3b135b207a944e841f0142c30f4f43ceb Mon Sep 17 00:00:00 2001
From: piso <piso@FreeBSD.org>
Date: Fri, 29 Dec 2006 21:59:17 +0000
Subject: Summer of Code 2005: improve libalias - part 2 of 2

With the second (and last) part of my previous Summer of Code work, we get:

-ipfw's in kernel nat

-redirect_* and LSNAT support

General information about nat syntax and some examples are available
in the ipfw (8) man page. The redirect and LSNAT syntax are identical
to natd, so please refer to natd (8) man page.

To enable in kernel nat in rc.conf, two options were added:

o firewall_nat_enable: equivalent to natd_enable

o firewall_nat_interface: equivalent to natd_interface

Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet
to continue being checked by the firewall ruleset after being
(de)aliased.

NOTA BENE: due to some problems with libalias architecture, in kernel
nat won't work with TSO enabled nic, thus you have to disable TSO via
ifconfig (ifconfig foo0 -tso).

Approved by: glebius (mentor)
---
 etc/rc.firewall | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'etc/rc.firewall')

diff --git a/etc/rc.firewall b/etc/rc.firewall
index 132df9c..f569653 100644
--- a/etc/rc.firewall
+++ b/etc/rc.firewall
@@ -129,6 +129,14 @@ case ${firewall_type} in
 		fi
 		;;
 	esac
+	case ${firewall_nat_enable} in
+	[Yy][Ee][Ss])
+		if [ -n "${firewall_nat_interface}" ]; then
+			${fwcmd} nat 123 config if ${firewall_nat_interface} log
+			${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
+		fi
+		;;
+	esac
 esac
 
 ############
-- 
cgit v1.1