From eugen@grosbein.net Sat Jul 31 08:17:16 2021
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 75DEE12B122D;
	Sat, 31 Jul 2021 08:17:42 +0000 (UTC)
	(envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4GcHFK1cz7z3QWM;
	Sat, 31 Jul 2021 08:17:40 +0000 (UTC)
	(envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged))
	by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id 16V8HRLa094891
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Sat, 31 Jul 2021 08:17:28 GMT
	(envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: alfadev@protonmail.com
Received: from [10.58.0.10] (dadvw [10.58.0.10])
	by eg.sd.rdtc.ru (8.16.1/8.16.1) with ESMTPS id 16V8HRG1016192
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT);
	Sat, 31 Jul 2021 15:17:27 +0700 (+07)
	(envelope-from eugen@grosbein.net)
Subject: Re: How to Force Packet Traversal Order (IPFW2 => PF)
To: alfadev <alfadev@protonmail.com>,
        "freebsd-ipfw@FreeBSD.org" <freebsd-ipfw@FreeBSD.org>,
        "freebsd-hackers@FreeBSD.org" <freebsd-hackers@FreeBSD.org>,
        "freebsd-pf@FreeBSD.org" <freebsd-pf@FreeBSD.org>
References: <rdc7jLoVJXZDL75xntp5gwEYLvZ2silSk8pwdE-QwT2QxpwXRKDbOP4A27q3o2QA4p4IS17A3kmEWRw4O9iQnmJh-PMqwvsf1h9PYbcVu9A=@protonmail.com>
From: Eugene Grosbein <eugen@grosbein.net>
Message-ID: <21339cbe-59c6-5b07-bf8b-8e8612ba64da@grosbein.net>
Date: Sat, 31 Jul 2021 15:17:16 +0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
In-Reply-To: <rdc7jLoVJXZDL75xntp5gwEYLvZ2silSk8pwdE-QwT2QxpwXRKDbOP4A27q3o2QA4p4IS17A3kmEWRw4O9iQnmJh-PMqwvsf1h9PYbcVu9A=@protonmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=4.4 required=5.0 tests=BAYES_20,LOCAL_FROM,
	NICE_REPLY_A,RDNS_NONE,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Report: 
	* -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20%
	*      [score: 0.1508]
	*  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
	* -0.0 SPF_PASS SPF: sender matches SPF record
	*  2.6 LOCAL_FROM From my domains
	*  1.9 RDNS_NONE Delivered to internal network by a host with no rDNS
	* -0.1 NICE_REPLY_A Looks like a legit reply (A)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net
X-Spam-Level: ****
X-Rspamd-Queue-Id: 4GcHFK1cz7z3QWM
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=fail (mx1.freebsd.org: domain of eugen@grosbein.net does not designate 2a01:4f8:c2c:26d8::2 as permitted sender) smtp.mailfrom=eugen@grosbein.net
X-Spamd-Result: default: False [-0.99 / 15.00];
	 TO_DN_EQ_ADDR_SOME(0.00)[];
	 R_SPF_FAIL(1.00)[-all];
	 FREEFALL_USER(0.00)[eugen];
	 FROM_HAS_DN(0.00)[];
	 RCPT_COUNT_THREE(0.00)[4];
	 TO_DN_SOME(0.00)[];
	 MID_RHS_MATCH_FROM(0.00)[];
	 MIME_GOOD(-0.10)[text/plain];
	 DMARC_NA(0.00)[grosbein.net];
	 ARC_NA(0.00)[];
	 NEURAL_SPAM_SHORT(0.11)[0.111];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 RCVD_COUNT_THREE(0.00)[3];
	 TO_MATCH_ENVRCPT_SOME(0.00)[];
	 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	 FREEMAIL_TO(0.00)[protonmail.com,FreeBSD.org];
	 FROM_EQ_ENVFROM(0.00)[];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 ASN(0.00)[asn:24940, ipnet:2a01:4f8::/32, country:DE];
	 RCVD_TLS_ALL(0.00)[];
	 MAILMAN_DEST(0.00)[freebsd-pf,freebsd-hackers,freebsd-ipfw]
X-Spam: Yes
X-ThisMailContainsUnwantedMimeParts: N

30.07.2021 18:40, alfadev via freebsd-ipfw wrote:

> Hi,
> I have to use both IPFW and PF sametime in my freebsd 12.2 gateway
> 
> According to my observations firewalls are following this order all of my scenarios PF => IPFW2. I see this exactly When i use PF's route-to option . When i create Load-Balancing rule using PF's route-to, packets not entering into IPFW. So when i made PBR, IPFW rules like mac based piping, bandwidth, captive portal etc. does not works.
> So that
> i am trying to do this order:
> input => ipfw => pf
> 
> but i think i cannot change this order without touching kernel level .
> when i made some research i found [this](https://www.opennet.ru/tips/info/1431.shtml) https://www.opennet.ru/tips/info/1431.shtml
> 
> IPFW and PF startup order definitions are in this files
> 
> Code:
> 
> /usr/src/sys/netpfil/ipfw/ip_fw2.c
> /usr/src/sys/netpfil/pf/pf_ioctl.c
> 
> I have not sufficient skills to editing kernel level files
> and tried instructions below but i couldn't changed that order.
> 
> I am stuck on this for weeks my mind gonna blow
> Any help would be appreciated at this point..

You need not to edit kernel sources. AFAIK it is possible to achieve what you need
building custom kernel with ipfw included but pf not included to the kernel and loaded as module.