From owner-freebsd-pf@FreeBSD.ORG Mon Jul 5 14:37:45 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 130B2106566B for ; Mon, 5 Jul 2010 14:37:45 +0000 (UTC) (envelope-from adg@a-real.ru) Received: from mbox1.a-real.ru (mbox1.a-real.ru [213.187.98.202]) by mx1.freebsd.org (Postfix) with ESMTP id B8F0D8FC0A for ; Mon, 5 Jul 2010 14:37:44 +0000 (UTC) Received: by mbox1.a-real.ru (Sendmail, from userid 1002) id 993DD6E07B; Mon, 5 Jul 2010 15:26:00 +0400 (MSD) X-Envelope-Sender: adg@a-real.ru X-Envelope-Recipient: freebsd-pf@freebsd.org X-Original-To: freebsd-pf@freebsd.org Received: from [192.168.17.150] (unknown [192.168.17.150]) (Authenticated sender: adg@a-real.ru) by mbox1.a-real.ru (Sendmail) with ESMTPSA id 7AF186E068 for ; Mon, 5 Jul 2010 15:26:00 +0400 (MSD) Message-ID: <4C31C14F.9090001@a-real.ru> Date: Mon, 05 Jul 2010 15:26:07 +0400 From: =?UTF-8?B?0JDQu9C10LrRgdC10Lkg0JPRg9GB0YzQutC+0LI=?= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.4) Gecko/20100608 Thunderbird/3.1 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: pf route-to breaks pfil processing order X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jul 2010 14:37:45 -0000 Hello everyone. Here's the problem: I need to forward some outgoing traffic to some local service. Traffic goes from my machine, not from local network, so i cannot use pf rdr rule, because it handles only incoming traffic. So, i'm using ipfw fwd rule for that: # ipfw add 100 fwd 192.168.1.1,3127 ip from me to any 80 out Here i redirect all outgoing traffic to another local proxy. (Nope, i can not use parent proxy). Everything is fine and works ok until I turn on pf and create route-to rule: pass out on le0 out route-to (le0 192.168.1.254) from any to yandex.ru Besides i'm using dummynet pipes for traffic shaping, so i need ipfw to process incoming packets before pf (and after pf for outgoing packets): # ipfw disable firewall # ipfw enable firewall So, the problem goes here: Here's the path of the outgoing packet inside the kernel: ip_output() -> ... -> pfil_run_hooks() -> ... -> pf_test() pf_test checks the packets, searches for state etc. Finally it checks if the packet should be redirected by "route-to", "reply-to" or "dup-to" options pf.c, line 7125, pf_test(): ------ if (r->rt) /* pf_route can free the mbuf causing *m0 to become NULL */ pf_route(m0, r, dir, ifp, s, &pd); pf_route() itself performs some routing actions, rewrites nexthop and if, and (sic!) sends the packet _directly_ to the specified interface: pf.c, line 6239, pf_route() ---- PF_UNLOCK(); error = (*ifp->if_output)(ifp, m0, sintosa(dst), ro->ro_rt); PF_LOCK(); Original packet is deleted as if it's been blocked by firewall. So, any packet that is processed by pf_route would not then be processed with ipfw, would not be diverted into pipes etc. (actually i believe it wouldn't also be processed by altq). For example in my case the tcp connection wouldn't be redirected by ipfw. So' heres the questions: 1) for what purpose pf_route invokes if_output by itself? 2) why rewritten packets can't be left intact so they would be normally processed by ipfw, altq etc and send to interfaces by uip_output()? I'm asking that because when ipfw redirects packets they are processed this way and nothing bad happens. Thanks -- Alexey Guskov Areal company