Date: Tue, 05 Dec 2006 03:22:15 +0200 From: Cristian KLEIN <cristi@net.utcluj.ro> To: freebsd-ipfw@freebsd.org Subject: IPFW + dummynet + other firewall Message-ID: <4574C9C7.3030807@net.utcluj.ro>
next in thread | raw e-mail | index | archive | help
Hello everybody, I sure hope this is relevant for the list. I have been using IPFW and PF in FreeBSD 5.4 for some time, because I like PF's NAT and ftp-proxy, but I can't live without pipes. While giving me joy, this combination also results in some strange behaviour. In the default configuration (i.e. firewall_enable and pf_enable="YES" in rc.conf) ipfw loads first and pf last, which has the great advantage of seeing untranslated packets in ipfw. When combining ipfw + dummynet + pf, some strange behaviour occurs, due to the fact that dummynet reinjects the packets into ip_input(). The path of incomming packets looks like this: wire -> pf -> ipfw -> dummynet -> pf -> ipfw -> kernel. 1) rdr rules to localhost (required for ftp-proxy etc.) which go through pipes fail, because ip_input() drops 127/8. 2) pass log rules make packets appear twice on pflog. Other issues may exist. I believe that the single solution would be something like in the pre-PFIL times, when ip_input() contained a jump directly to ipfw, and the packet was processed from where it left. However, this is pretty hard to implement in PFIL. Any ideas?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4574C9C7.3030807>