Changeset 17235d6

Timestamp:

Apr 15, 2013 1:06:48 PM (5 weeks ago)

Author:

Kris Moore <kris@…>

Branches:

master, 9.1-release

Children:

8901c47

Parents:

4d2a365

Message:

Merge changes from John Hixson and FreeNAS work

Location:

src-sh/warden

Files:

• bin/warden (modified) (6 diffs)
• conf/warden.conf (modified) (1 diff)
• pluginjail-packages (added)
• scripts/backend/createjail.sh (modified) (11 diffs)
• scripts/backend/functions.sh (modified) (8 diffs)
• scripts/backend/startjail.sh (modified) (7 diffs)

src-sh/warden/bin/warden

@@ -92 +92 @@
 defaultrouter-ipv4: Lets you see the default IPv4 router for this jail
 defaultrouter-ipv6: Lets you see the default IPv6 router for this jail
-        flags: Lets you see additional flags to pass to the 'jail' command at startup
+             flags: Lets you see additional flags to pass to the 'jail' command at startup
 
 Usage:
@@ -127 +127 @@
 defaultrouter-ipv4: Lets you set the default IPv4 router for this jail
 defaultrouter-ipv6: Lets you set the default IPv6 router for this jail
-             flags: Lets you set additional flags to pass to the 'jail' command at startup
+        flags: Lets you set additional flags to pass to the 'jail' command at startup
 
 Usage:
@@ -806 +806 @@
           ${PROGDIR}/bin/warden-gui ;;
 
-    list) require_root 
-          shift
-          ${PROGDIR}/scripts/backend/listjails.sh $* ;;
+    list) require_root
+        shift
+        ${PROGDIR}/scripts/backend/listjails.sh $* ;;
     
    start) require_root
@@ -1037 +1037 @@
          IP4="OFF"
          IP6="OFF"
-         SOURCE="NO"
+         SRC="NO"
          PORTS="NO"
-         STARTUP="NO"
+         AUTOSTART="NO"
          VANILLA="NO"
          VERSION=
@@ -1055 +1055 @@
                           ;;
 
-             --src) SOURCE="YES" ;;
+             --src) SRC="YES" ;;
              --ports) PORTS="YES" ;;
-             --startauto) STARTUP="YES" ;;
+             --startauto) AUTOSTART="YES" ;;
              --vanilla) VANILLA="YES" ;;
              --portjail) JAILTYPE="portjail" ;;
-             --pluginjail) JAILTYPE="pluginjail" ;; 
+             --pluginjail) JAILTYPE="pluginjail" ; VANILLA="YES" ;; 
              --linuxjail) JAILTYPE="linuxjail" ; shift
                           if [ -z "$1" ] ; then exit_err "No linux setup script specified!"; fi
@@ -1108 +1108 @@
           export IP4
           export IP6
-          export SOURCE 
+          export SRC
           export PORTS
-          export STARTUP
+          export AUTOSTART
           export JAILTYPE
           export ARCHIVE_FILE

src-sh/warden/conf/warden.conf

@@ -11 +11 @@
 # Location of the jails
 JDIR: /usr/jails
+
+# FreeBSD release to use
+FREEBSD_RELEASE: 9.1-RELEASE

src-sh/warden/scripts/backend/createjail.sh

@@ -23 +23 @@
   fi
 
-  if [ "$STARTUP" = "YES" ] ; then
+  if [ "$AUTOSTART" = "YES" ] ; then
     touch "${JMETADIR}/autostart"
   fi
@@ -69 +69 @@
 
   # If we are auto-starting the jail, do it now
-  if [ "$STARTUP" = "YES" ] ; then warden start ${JAILNAME} ; fi
+  if [ "$AUTOSTART" = "YES" ] ; then warden start ${JAILNAME} ; fi
 
   echo "Success! Linux jail created at ${JAILDIR}"
@@ -87 +87 @@
 esac
 
-if [ -z "${VERSION}" -a -e "/etc/version" ] ; then VERSION=`cat /etc/version`; fi
-
 # Location of the chroot environment
 isDirZFS "${JDIR}"
 if [ $? -eq 0 ] ; then
-  if [ "${PLUGINJAIL}" = "YES" ] ; then
-    WORLDCHROOT="${JDIR}/.warden-pj-chroot-${ARCH}"
-  else
-    WORLDCHROOT="${JDIR}/.warden-chroot-${ARCH}"
-  fi
-  export WORLDCHROOT
+  WORLDCHROOT_PLUGINJAIL="${JDIR}/.warden-pj-chroot-${ARCH}"
+  WORLDCHROOT_STANDARD="${JDIR}/.warden-chroot-${ARCH}"
 else
-  if [ "${PLUGINJAIL}" = "YES" ] ; then
-    WORLDCHROOT="${JDIR}/.warden-pj-chroot-${ARCH}.tbz"
-  else
-    WORLDCHROOT="${JDIR}/.warden-chroot-${ARCH}.tbz"
-  fi
-  export WORLDCHROOT
-fi
+  WORLDCHROOT_PLUGINJAIL="${JDIR}/.warden-pj-chroot-${ARCH}.tbz"
+  WORLDCHROOT_STANDARD="${JDIR}/.warden-chroot-${ARCH}.tbz"
+fi
+if [ "${PLUGINJAIL}" = "YES" ] ; then
+  WORLDCHROOT="${WORLDCHROOT_PLUGINJAIL}"
+else
+  WORLDCHROOT="${WORLDCHROOT_STANDARD}"
+fi
+export WORLDCHROOT WORLDCHROOT_PLUGINJAIL WORLDCHROOT_STANDARD
 
 if [ "${IP4}" != "OFF" ] ; then
@@ -118 +114 @@
   IP6="${JIP}"
   MASK6="${JMASK}"
-  if [ -z "$MASK4" ] ; then MASK6="64"; fi
+  if [ -z "$MASK6" ] ; then MASK6="64"; fi
 fi
 
@@ -126 +122 @@
 fi
 
-if [ -z "${HOST}" -o -z "$SOURCE" -o -z "${PORTS}" -o -z "${STARTUP}" ] 
-then
-  if [ -z "$HOST" ] ; then
-     echo "ERROR: Missing hostname!"
-  else
-     echo "ERROR: Missing required data!"
-  fi
-
-  exit 6
+if [ -z "$HOST" ] ; then
+   echo "ERROR: Missing hostname!"
+   exit 6
 fi
 
@@ -168 +158 @@
 
 # Check if we need to download the chroot file
+
+#
+# If this is a pluginjail, we clone a regular freebsd chroot, then we
+# bootstrap packageng, install the required packages that a pluginjail
+# needs, then snapshot it. Once this is done, creating a pluginjail is
+# as easy as doing a zfs clone.
+#
 if [ "${PLUGINJAIL}" = "YES" -a ! -e "${WORLDCHROOT}" ] ; then
-  downloadpluginjail "${VERSION}"
+  if [ ! -e "${WORLDCHROOT_STANDARD}" ] ; then
+    downloadchroot "${WORLDCHROOT_STANDARD}"
+  fi
+
+  isDirZFS "${JDIR}"
+  if [ $? -eq 0 ] ; then
+    tank=`getZFSTank "$JDIR"`
+    zfsp=`getZFSRelativePath "${WORLDCHROOT_STANDARD}"`
+    clonep="/$(basename ${WORLDCHROOT_PLUGINJAIL})"
+
+    mnt=`getZFSMountpoint ${tank}`
+    pjdir="${mnt}${clonep}"
+
+    zfs clone ${tank}${zfsp}@clean ${tank}${clonep}
+    if [ $? -ne 0 ] ; then exit_err "Failed creating clean ZFS pluginjail clone"; fi
+
+    cp /etc/resolv.conf ${pjdir}/etc/resolv.conf
+
+    bootstrap_pkgng "${pjdir}" "pluginjail"
+
+    zfs snapshot ${tank}${clonep}@clean
+    if [ $? -ne 0 ] ; then exit_err "Failed creating clean ZFS pluginjail snapshot"; fi
+
+  # We're on UFS :-(
+  else
+    downloadchroot "${WORLDCHROOT_STANDARD}"
+
+  fi
 
 elif [ ! -e "${WORLDCHROOT}" -a "${LINUXJAIL}" != "YES" ] ; then
-  downloadchroot
+  downloadchroot "${WORLDCHROOT}"
 fi
 
@@ -212 +236 @@
      tar xvf ${WORLDCHROOT} -C "${JAILDIR}" 2>/dev/null
    fi
+
+   # If this is a pluginjail on UFS :-( Do things the hard way.
+   if [ "${PLUGINJAIL}" = "YES" ] ; then
+     bootstrap_pkgng "${pjdir}" "pluginjail"
+   fi
+
    echo "Done"
 fi
@@ -286 +316 @@
 
   if [ "${IP4}" != "OFF" ] ; then
-    echo "${IP4}                        ${HOST}" > "${JAILDIR}/etc/hosts"
+    echo "${IP4}                        ${HOST}" >> "${JAILDIR}/etc/hosts"
   fi
   if [ "${IP6}" != "OFF" ] ; then
-    echo "${IP6}                        ${HOST}" > "${JAILDIR}/etc/hosts"
+    echo "${IP6}                        ${HOST}" >> "${JAILDIR}/etc/hosts"
     sed -i '' "s|#ListenAddress ::|ListenAddress ${IP6}|g" ${JAILDIR}/etc/ssh/sshd_config
   fi
@@ -298 +328 @@
 fi # End of ARCHIVEFILE check
 
-if [ "$STARTUP" = "YES" ] ; then
+if [ "$AUTOSTART" = "YES" ] ; then
   touch "${JMETADIR}/autostart"
 fi
@@ -314 +344 @@
   bootstrap_pkgng "${JAILDIR}"
   if [ $? -ne 0 ] ; then
-     echo "You can manually re-try by running # warden bspkgng ${IP}"
+     echo "You can manually re-try by running # warden bspkgng ${JAILNAME}"
   fi
 fi
@@ -332 +362 @@
 
 # If we are auto-starting the jail, do it now
-if [ "$STARTUP" = "YES" ] ; then warden start ${JAILNAME} ; fi
+if [ "$AUTOSTART" = "YES" ] ; then warden start ${JAILNAME} ; fi
 
 echo "Success!"

src-sh/warden/scripts/backend/functions.sh

@@ -32 +32 @@
 WTMP="$(grep ^WTMP: /usr/local/etc/warden.conf | cut -d' ' -f2)"
 export WTMP
+
+# FreeBSD release
+FREEBSD_RELEASE="$(grep ^FREEBSD_RELEASE: /usr/local/etc/warden.conf | cut -d' ' -f2)"
+if [ -z "${FREEBSD_RELEASE}" ] ; then
+  FREEBSD_RELEASE="$(uname -r)"
+fi
+export UNAME_r="${FREEBSD_RELEASE}"
 
 # Temp file for dialog responses
@@ -110 +117 @@
 ### Download the chroot
 downloadchroot() {
+  local CHROOT="${1}"
+
   # XXX If this is PCBSD, pbreg get /PC-BSD/Version
-  SYSVER=`uname -r | cut -f1 -d'-'`
-  FBSD_TARBALL="fbsd-release.tbz"
+  SYSVER="$(echo "$(uname -r)" | cut -f1 -d'-')"
+  FBSD_TARBALL="fbsd-release.txz"
   FBSD_TARBALL_CKSUM="${FBSD_TARBALL}.md5"
 
@@ -143 +152 @@
   isDirZFS "${JDIR}"
   if [ $? -eq 0 ] ; then
-    local zfsp=`getZFSRelativePath "${WORLDCHROOT}"`
+    local zfsp=`getZFSRelativePath "${CHROOT}"`
 
     # Use ZFS base for cloning
-    echo "Creating ZFS ${WORLDCHROOT} dataset..."
+    echo "Creating ZFS ${CHROOT} dataset..."
     tank=`getZFSTank "${JDIR}"`
-    isDirZFS "${WORLDCHROOT}" "1"
+    isDirZFS "${CHROOT}" "1"
     if [ $? -ne 0 ] ; then
        zfs create -o mountpoint=/${tank}${zfsp} -p ${tank}${zfsp}
@@ -154 +163 @@
     fi
 
-    tar xvpf ${FBSD_TARBALL} -C ${WORLDCHROOT} 2>/dev/null
+    tar xvpf ${FBSD_TARBALL} -C ${CHROOT} 2>/dev/null
     if [ $? -ne 0 ] ; then exit_err "Failed extracting ZFS chroot environment"; fi
 
@@ -162 +171 @@
   else
     # Save the chroot tarball
-    mv ${FBSD_TARBALL} ${WORLDCHROOT}
+    mv ${FBSD_TARBALL} ${CHROOT}
   fi
   rm ${FBSD_TARBALL_CKSUM}
@@ -695 +704 @@
 }
 
+install_pc_extractoverlay()
+{
+  if [ -z "${1}" ] ; then
+    return 1 
+  fi 
+
+  mkdir -p ${1}/usr/local/bin
+  mkdir -p ${1}/usr/local/share/pcbsd/conf
+  mkdir -p ${1}/usr/local/share/pcbsd/distfiles
+
+  cp /usr/local/bin/pc-extractoverlay ${1}/usr/local/bin/
+  chmod 755 ${1}/usr/local/bin/pc-extractoverlay
+
+  cp /usr/local/share/pcbsd/conf/server-excludes \
+    ${1}/usr/local/share/pcbsd/conf
+  cp /usr/local/share/pcbsd/distfiles/server-overlay.txz \
+    ${1}/usr/local/share/pcbsd/distfiles
+
+  return 0
+}
+
+make_bootstrap_pkgng_file_standard()
+{
+  local jaildir="${1}"
+  local outfile="${2}"
+
+  local release="$(uname -r)"
+  local arch="$(uname -m)"
+
+  get_mirror
+  local mirror="${VAL}"
+
+cat<<__EOF__>"${outfile}"
+#!/bin/sh
+tar xvf pkg.txz --exclude +MANIFEST --exclude +MTREE_DIRS 2>/dev/null
+pkg add pkg.txz
+rm pkg.txz
+
+echo "packagesite: ${mirror}/packages/${release}/${arch}" >/usr/local/etc/pkg.conf
+echo "HTTP_MIRROR: http" >>/usr/local/etc/pkg.conf
+echo "PUBKEY: /usr/local/etc/pkg-pubkey.cert" >>/usr/local/etc/pkg.conf
+echo "PKG_CACHEDIR: /usr/local/tmp" >>/usr/local/etc/pkg.conf
+pkg install -y pcbsd-utils
+exit $?
+__EOF__
+}
+
+make_bootstrap_pkgng_file_pluginjail()
+{
+
+  local jaildir="${1}"
+  local outfile="${2}"
+
+  local release="$(uname -r)"
+  local arch="$(uname -m)"
+
+  get_mirror
+  local mirror="${VAL}"
+
+  cp /usr/local/share/warden/pluginjail-packages "${jaildir}/pluginjail-packages"
+
+cat<<__EOF__>"${outfile}"
+#!/bin/sh
+tar xvf pkg.txz --exclude +MANIFEST --exclude +MTREE_DIRS 2>/dev/null
+pkg add pkg.txz
+rm pkg.txz
+
+mount -t devfs devfs /dev
+
+echo "packagesite: ${mirror}/packages/${release}/${arch}" >/usr/local/etc/pkg.conf
+echo "HTTP_MIRROR: http" >>/usr/local/etc/pkg.conf
+echo "PUBKEY: /usr/local/etc/pkg-pubkey.cert" >>/usr/local/etc/pkg.conf
+echo "PKG_CACHEDIR: /usr/local/tmp" >>/usr/local/etc/pkg.conf
+pkg install -y pcbsd-utils
+__EOF__
+
+echo '
+i=0
+count=`wc -l /pluginjail-packages| awk "{ print $1 }"`
+for p in `cat /pluginjail-packages`
+do
+  pkg install -y ${p}
+  : $(( i += 1 ))
+done
+
+umount devfs
+exit $?
+' >> "${outfile}"
+}
+
+
 bootstrap_pkgng()
 {
-  cd ${1} 
-  SYSVER="$(uname -r)"
+  local jaildir="${1}"
+  local jailtype="${2}"
+  if [ -z "${jailtype}" ] ; then
+    jailtype="standard"
+  fi
+  local release="$(uname -r)"
+  local arch="$(uname -m)"
+
+  local ffunc="make_bootstrap_pkgng_file_standard"
+  if [ "${jailtype}" = "pluginjail" ] ; then
+    ffunc="make_bootstrap_pkgng_file_pluginjail"
+  fi
+
+  cd ${jaildir} 
   echo "Boot-strapping pkgng"
-  mkdir -p ${1}/usr/local/etc
-  cp /usr/local/etc/pkg-pubkey.cert ${1}/usr/local/etc/
-  if [ $? -ne 0 ] ; then
-     echo "Failed copying /usr/local/etc/pkg-pubkey.cert"
-  fi
-
-  echo '#!/bin/sh
-  tar xvf pkg.txz --exclude +MANIFEST --exclude +MTREE_DIRS 2>/dev/null
-  pkg add pkg.txz
-  rm pkg.txz
-  ARCH=$(uname -m)
-  REL=$(uname -r)
-  echo "packagesite: http://ftp.pcbsd.org/pub/mirror/packages/$REL/$ARCH" >/usr/local/etc/pkg.conf
-  echo "PUBKEY: /usr/local/etc/pkg-pubkey.cert" >>/usr/local/etc/pkg.conf
-  echo "PKG_CACHEDIR: /usr/local/tmp" >>/usr/local/etc/pkg.conf
-  pkg install -y pcbsd-utils
-  exit $?
-' > ${1}/bootstrap-pkgng
-  chmod 755 ${1}/bootstrap-pkgng
+
+  mkdir -p ${jaildir}/usr/local/etc
+  pubcert="/usr/local/etc/pkg-pubkey.cert"
+
+  cp "${pubcert}" ${jaildir}/usr/local/etc
+  install_pc_extractoverlay "${jaildir}"
+
+  ${ffunc} "${jaildir}" "${jaildir}/bootstrap-pkgng"
+  chmod 755 "${jaildir}/bootstrap-pkgng"
 
   if [ -e "pkg.txz" ] ; then rm pkg.txz ; fi
-  get_file_from_mirrors "/packages/${SYSVER}/${ARCH}/Latest/pkg.txz" "pkg.txz"
+  get_file_from_mirrors "/packages/${release}/${arch}/Latest/pkg.txz" "pkg.txz"
   if [ $? -eq 0 ] ; then
-    chroot ${1} /bootstrap-pkgng
+    chroot ${jaildir} /bootstrap-pkgng
     if [ $? -eq 0 ] ; then
-      rm ${1}/bootstrap-pkgng
-      chroot ${1} pc-extractoverlay server --sysinit
+      rm -f "${jaildir}/bootstrap-pkgng"
+      rm -f "${jaildir}/pluginjail-packages"
+      chroot ${jaildir} pc-extractoverlay server --sysinit
       return 0
     fi
   fi
+
   echo "Failed boot-strapping PKGNG, most likely cause is internet connection failure."
-  rm ${1}/bootstrap-pkgng
+  rm -f "${jaildir}/bootstrap-pkgng"
+  rm -f "${jaildir}/pluginjail-packages"
   return 1
 }
@@ -746 +851 @@
 
    ${jexec} ifconfig "${iface}" | grep -qw inet 2>/dev/null
+   return $?
+}
+
+ipv4_address_configured()
+{
+   local iface="${1}"
+   local addr="${2}"
+   local jid="${3}"
+   local jexec= 
+
+   addr="$(echo ${addr}|cut -f1 -d'/')"
+
+   if [ -n "${jid}" ] ; then
+      jexec="jexec ${jid}"
+   fi
+
+   ${jexec} ifconfig "${iface}" | \
+      grep -w inet | \
+      awk '{ print $2 }' | \
+      grep -Ew "^${addr}" >/dev/null 2>&1
+   return $?
 }
 
@@ -759 +885 @@
 
    ${jexec} ifconfig "${iface}" | grep -qw inet6 2>/dev/null
-}
+   return $?
+}
+
+ipv6_address_configured()
+{
+   local iface="${1}"
+   local addr="${2}"
+   local jid="${3}"
+   local jexec= 
+
+   addr="$(echo ${addr}|cut -f1 -d'/')"
+
+   if [ -n "${jid}" ] ; then
+      jexec="jexec ${jid}"
+   fi
+
+   ${jexec} ifconfig "${iface}" | \
+      grep -w inet6 | \
+      awk '{ print $2 }' | \
+      grep -Ew "^${addr}" >/dev/null 2>&1
+   return $?
+}
+
+get_ipfw_nat_instance()
+{
+   local iface="${1}"
+   local res=1
+
+   if [ -z "${iface}" ] ; then
+      local instance="`ipfw list|egrep '[0-9]+ nat'|awk '{ print $3 }'|tail -1`"
+      if [ -z "${instance}" ] ; then
+         instance="100"
+      else                
+         : $(( instance += 100 )) 
+      fi
+      echo "${instance}"
+      return 0
+   fi
+
+   for ni in `ipfw list|egrep '[0-9]+ nat'|awk '{ print $3 }'`
+   do
+      ipfw nat "${ni}" show config|egrep -qw "${iface}"
+      if [ "$?" = "0" ] ; then
+         echo "${ni}"
+         res=0
+         break
+      fi
+   done
+
+   return ${res}
+}
+
+get_ipfw_nat_priority()
+{
+   local iface="${1}"
+   local res=1
+
+   if [ -z "${iface}" ] ; then
+      local priority="`ipfw list|egrep '[0-9]+ nat'|awk '{ print $1 }'|tail -1`"
+      if [ -z "${priority}" ] ; then
+         priority=2000
+      fi
+      printf "%05d\n" "${priority}"
+      return 0
+   fi
+
+   local IFS='
+'
+   for rule in `ipfw list|egrep '[0-9]+ nat'`
+   do
+      local priority="`echo "${rule}"|awk '{ print $1 }'`"
+      local ni="`echo "${rule}"|awk '{ print $3 }'`"
+
+      ipfw nat "${ni}" show config|egrep -qw "${iface}"
+      if [ "$?" = "0" ] ; then
+         echo "${priority}"
+         res=0
+         break
+      fi
+   done
+
+   return ${res}
+}
+

src-sh/warden/scripts/backend/startjail.sh

@@ -208 +208 @@
    if ! ipv4_configured "${BRIDGE}" ; then
       ifconfig ${BRIDGE} inet "${BRIDGEIP4}"
-   else
+
+   elif ! ipv4_address_configured "${BRIDGE}" "${BRIDGEIP4}" ; then
       ifconfig ${BRIDGE} inet alias "${BRIDGEIP4}"
    fi
@@ -215 +216 @@
    for _ip in ${BRIDGEIPS4}
    do
-      ifconfig ${BRIDGE} inet alias "${_ip}"
+      if ! ipv4_address_configured "${BRIDGE}" "${_ip}" ; then
+         ifconfig ${BRIDGE} inet alias "${_ip}"
+      fi 
    done
 fi
@@ -222 +225 @@
    if ! ipv6_configured "${BRIDGE}" ; then
       ifconfig ${BRIDGE} inet6 "${BRIDGEIP6}"
-   else
+
+   elif ! ipv6_address_configured "${BRIDGE}" "${BRIDGEIP6}" ; then
       ifconfig ${BRIDGE} inet6 alias "${BRIDGEIP6}"
    fi
@@ -229 +233 @@
    for _ip in ${BRIDGEIPS6}
    do
-      ifconfig ${BRIDGE} inet6 alias "${_ip}"
+      if ! ipv6_address_configured "${BRIDGE}" "${_ip}" ; then
+         ifconfig ${BRIDGE} inet6 alias "${_ip}"
+      fi
    done
 fi
@@ -261 +267 @@
    ipv4_configured ${EPAIRB} ${JID}
    if [ "$?" = "0" ] ; then
-      jexec ${JID} ifconfig ${EPAIRB} inet alias ${ip4}
+      if ! ipv4_address_configured "${EPAIRB}" "${ip4}" "${JID}" ; then
+         jexec ${JID} ifconfig ${EPAIRB} inet alias ${ip4}
+      fi
    else
       jexec ${JID} ifconfig ${EPAIRB} inet ${ip4}
@@ -275 +283 @@
    ipv6_configured ${EPAIRB} ${JID}
    if [ "$?" = "0" ] ; then
-      jexec ${JID} ifconfig ${EPAIRB} inet6 alias ${ip6}
+      if ! ipv6_address_configured "${EPAIRB}" "${ip6}" "${JID}" ; then
+         jexec ${JID} ifconfig ${EPAIRB} inet6 alias ${ip6}
+      fi
    else
       jexec ${JID} ifconfig ${EPAIRB} inet6 ${ip6}
@@ -316 +326 @@
 # with VIMAGE.
 #
-sysctl net.inet.ip.forwarding=1
-sysctl net.inet6.ip6.forwarding=1
-
-tmp_rcconf=`mktemp /tmp/.wdn.XXXXXX`
-
-egrep -v '^(firewall_(enable|type)|natd_(enable|interface|flags))' \
-   /etc/rc.conf >> "${tmp_rcconf}"
-cat<<__EOF__>>"${tmp_rcconf}"
+ip_forwarding=`sysctl -n net.inet.ip.forwarding`
+if [ "${ip_forwarding}" = "0" ] ; then
+   sysctl net.inet.ip.forwarding=1
+fi
+
+ip6_forwarding=`sysctl -n net.inet6.ip6.forwarding`
+if [ "${ip6_forwarding}" = "0" ] ; then
+   sysctl net.inet6.ip6.forwarding=1
+fi
+
+firewall_enable=`egrep '^firewall_enable' /etc/rc.conf|cut -f2 -d'='|sed 's|"||g'`
+firewall_type=`egrep '^firewall_type' /etc/rc.conf|cut -f2 -d'='|sed 's|"||g'`
+
+if [ "${firewall_enable}" != "YES" -o "${firewall_type}" != "open" ] ; then
+   tmp_rcconf=`mktemp /tmp/.wdn.XXXXXX`
+   egrep -v '^firewall_(enable|type)' /etc/rc.conf >> "${tmp_rcconf}"
+
+   cat<<__EOF__>>"${tmp_rcconf}"
 firewall_enable="YES"
 firewall_type="open"
-natd_enable="YES"
-natd_interface="${IFACE}"
-natd_flags="-dynamic -m"
 __EOF__
-if [ -s "${tmp_rcconf}" ] ; then
-   cp /etc/rc.conf /var/tmp/rc.conf.bak
-   mv "${tmp_rcconf}" /etc/rc.conf
-   if [ "$?" != "0" ] ; then
-      mv /var/tmp/rc.conf.bak /etc/rc.conf
-   fi
-fi
-
-ipfw list | grep -Eq '^00500 divert' 2>/dev/null
-if [ "$?" != "0" ] ; then
-   /etc/rc.d/ipfw restart
-   ipfw -q add 00050 divert 8668 ip4 from any to any via ${IFACE}
+
+   if [ -s "${tmp_rcconf}" ] ; then
+      cp /etc/rc.conf /var/tmp/rc.conf.bak
+      mv "${tmp_rcconf}" /etc/rc.conf
+      if [ "$?" != "0" ] ; then
+         mv /var/tmp/rc.conf.bak /etc/rc.conf
+      fi
+   fi
+   /etc/rc.d/ipfw forcerestart
+fi
+
+instance=`get_ipfw_nat_instance "${IFACE}"`
+if [ -z "${instance}" ] ; then
+echo "NAT IS NULL"
+   priority=`get_ipfw_nat_priority`
+   instance=`get_ipfw_nat_instance`
+
+   ipfw "${priority}" add nat "${instance}" all from any to any
+   ipfw nat "${instance}" config if "${IFACE}" reset
 fi