From owner-freebsd-ipfw@freebsd.org  Sat Oct  1 10:38:30 2016
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id CEC3BC03CD4
 for <freebsd-ipfw@mailman.ysv.freebsd.org>;
 Sat,  1 Oct 2016 10:38:30 +0000 (UTC)
 (envelope-from franco@lastsummer.de)
Received: from host64.shmhost.net (unknown [IPv6:2a01:4f8:a0:51d6::108:1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 99F75124D
 for <freebsd-ipfw@freebsd.org>; Sat,  1 Oct 2016 10:38:30 +0000 (UTC)
 (envelope-from franco@lastsummer.de)
Received: from [10.0.100.1]
 (ipservice-092-208-160-166.092.208.pools.vodafone-ip.de [92.208.160.166])
 by host64.shmhost.net (Postfix) with ESMTPSA id 75C3280705
 for <freebsd-ipfw@freebsd.org>; Sat,  1 Oct 2016 12:38:27 +0200 (CEST)
From: Franco Fichtner <franco@lastsummer.de>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: ipfw forward in cooperative mode with pf
Message-Id: <32FC1AF7-CE44-4A20-8EA1-ED22CBDADD0B@lastsummer.de>
Date: Sat, 1 Oct 2016 12:38:26 +0200
To: freebsd-ipfw@freebsd.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
X-Virus-Scanned: clamav-milter 0.99.2 at host64.shmhost.net
X-Virus-Status: Clean
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Oct 2016 10:38:30 -0000

Hi,

I'm working on making pf and ipfw work more closely together
in the pfil hooks.  This requires pf making use of the
PACKET_TAG_IPFOWARD as a second caller, but ipfw code needs
to be tightened slightly in order to make it cooperative:

https://reviews.freebsd.org/D8109

The grand scheme of things is that using pf -> ipfw in the
pfil in hook makes pf blackhole packets when using route-to
and friends, because pf skips ahead to if_output with code
copied from ip_output().  The packets never arrive in ipfw,
where they can't be forwarded (or even dropped).

I don't have a reviewer / committer for this at the moment,
so all help and questions are welcome.


Cheers,
Franco