From nobody Sat Jul 31 22:19:53 2021
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4F84112BEFBA
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Sat, 31 Jul 2021 22:20:11 +0000 (UTC)
	(envelope-from mber2015@gmail.com)
Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4GcdxQ0XvJz3LCk
	for <freebsd-hackers@freebsd.org>; Sat, 31 Jul 2021 22:20:10 +0000 (UTC)
	(envelope-from mber2015@gmail.com)
Received: by mail-vs1-xe32.google.com with SMTP id x66so4994938vsb.1
        for <freebsd-hackers@freebsd.org>; Sat, 31 Jul 2021 15:20:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=mber-cz.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:cc;
        bh=VpTZzIvF3PFqFZOYRqc1z727Tj7YVEzM/A2dKpNVQT4=;
        b=HzMENaLjpHAjQRln4GlkHH+fcadA/TTl0Qr7LnOJ/GXZUMtcnrzMVt//qYfHiaIuQP
         i/9H3MKiyO0sFNbZUSZiDpC68rHgUVU9EwYGcOm2PcnPH8rNgtuXjsP1CLs373HylZnR
         Oz9aH+eoKrKhOkRgQ4l0Y8IejJBm69fwTCz9/nrkLnyRZWI/ytmqUdw/0vbE/aTkFM5X
         bGz2ieo0baeUCkhryUVYdNaedsd97rErc7Mo3v8u0Hyo+6ezP9H5hjchP5qRapt+f7zg
         h9pmv1myV9aYtibxxAx9MCdPqxtpBIWL6UjYG2OglIpxuT6CuSRHd489pOFyWY28LJH7
         H1WA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:cc;
        bh=VpTZzIvF3PFqFZOYRqc1z727Tj7YVEzM/A2dKpNVQT4=;
        b=YJj0Z3z64rBF+UoBmsyBcpVA3uqq7IIdlNIYPy9uZs7YGi31dzkcf+ccCfvNrck2Cp
         hdMYoerz1xjB0wYjCJtz2wBAxoCTmCR8BNzyVz1IG0tljXBFs4J+bJXLGk6nHd2oBMT1
         55l25VVhS05eYoznynmkuIWWm/xvj3CmwMwMUYzAhyeoKQBQjeJUeN8S7vsKVwbaewKl
         V3ep17pOEq2bOlhZqUAkxTtd86DEMH60LDJo9sTpJAwUPLHKNx8Ffz23mRly8nSAw3w4
         K8zr4M6TLs7oVLrY3dZN5bQqrmorH3PQ4gvhIv04f+Qv+rEUruAm6d2p9GnK2QiqKyLE
         iaiw==
X-Gm-Message-State: AOAM5333MRT4nfHygd4W2aPUJCMKAFxnxUKHIR7rRTXkdF/4Txu4Xgnr
	EsPFblCcAwSGZIOwATM/vEYdfnwYejMaElnMX+SxUAJk/6eU8g==
X-Google-Smtp-Source: ABdhPJy5NvWQa9yKQg543PA+nleZ+I8Ay0PYnQsC9wlkvulsL1fzIEshayWLgU13nLQxneEfUTtij99Izm2gtLFkIW4=
X-Received: by 2002:a05:6102:20c5:: with SMTP id i5mr1969435vsr.3.1627770009504;
 Sat, 31 Jul 2021 15:20:09 -0700 (PDT)
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
References: <rdc7jLoVJXZDL75xntp5gwEYLvZ2silSk8pwdE-QwT2QxpwXRKDbOP4A27q3o2QA4p4IS17A3kmEWRw4O9iQnmJh-PMqwvsf1h9PYbcVu9A=@protonmail.com>
In-Reply-To: <rdc7jLoVJXZDL75xntp5gwEYLvZ2silSk8pwdE-QwT2QxpwXRKDbOP4A27q3o2QA4p4IS17A3kmEWRw4O9iQnmJh-PMqwvsf1h9PYbcVu9A=@protonmail.com>
From: Martin Beran <martin@mber.cz>
Date: Sun, 1 Aug 2021 00:19:53 +0200
Message-ID: <CAKcYwPHY8JXix3pspgH8t7STO6ELADSL_n5ghOzetmHExCTHOA@mail.gmail.com>
Subject: Re: How to Force Packet Traversal Order (IPFW2 => PF)
Cc: "freebsd-hackers@FreeBSD.org" <freebsd-hackers@freebsd.org>
Content-Type: multipart/alternative; boundary="000000000000314f7705c872bdb6"
X-Rspamd-Queue-Id: 4GcdxQ0XvJz3LCk
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=mber-cz.20150623.gappssmtp.com header.s=20150623 header.b=HzMENaLj;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of mber2015@gmail.com designates 2607:f8b0:4864:20::e32 as permitted sender) smtp.mailfrom=mber2015@gmail.com
X-Spamd-Result: default: False [-0.87 / 15.00];
	 RCVD_TLS_ALL(0.00)[];
	 ARC_NA(0.00)[];
	 R_DKIM_ALLOW(-0.20)[mber-cz.20150623.gappssmtp.com:s=20150623];
	 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	 FROM_HAS_DN(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
	 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org];
	 DMARC_NA(0.00)[mber.cz];
	 RCPT_COUNT_ONE(0.00)[1];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 DKIM_TRACE(0.00)[mber-cz.20150623.gappssmtp.com:+];
	 NEURAL_HAM_SHORT(-0.67)[-0.671];
	 RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e32:from];
	 MISSING_TO(2.00)[];
	 TO_DN_EQ_ADDR_ALL(0.00)[];
	 FORGED_SENDER(0.30)[martin@mber.cz,mber2015@gmail.com];
	 MIME_TRACE(0.00)[0:+,1:+,2:~];
	 FREEMAIL_ENVFROM(0.00)[gmail.com];
	 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	 FROM_NEQ_ENVFROM(0.00)[martin@mber.cz,mber2015@gmail.com];
	 MAILMAN_DEST(0.00)[freebsd-hackers];
	 RCVD_COUNT_TWO(0.00)[2]
X-Spam: Yes
X-ThisMailContainsUnwantedMimeParts: Y

--000000000000314f7705c872bdb6
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

p=C3=A1 30. 7. 2021 v 13:41 odes=C3=ADlatel alfadev via freebsd-ipfw <
freebsd-ipfw@freebsd.org> napsal:


> Hi,
> I have to use both IPFW and PF sametime in my freebsd 12.2 gateway
>
> According to my observations firewalls are following this order all of my
> scenarios PF =3D> IPFW2. I see this exactly When i use PF's route-to opti=
on .
> When i create Load-Balancing rule using PF's route-to, packets not enteri=
ng
> into IPFW. So when i made PBR, IPFW rules like mac based piping, bandwidt=
h,
> captive portal etc. does not works.
> So that
> i am trying to do this order:
> input =3D> ipfw =3D> pf
>
> but i think i cannot change this order without touching kernel level .
> when i made some research i found [this](
> https://www.opennet.ru/tips/info/1431.shtml)
> https://www.opennet.ru/tips/info/1431.shtml
>

I think that you do not need to touch kernel source, nor build a custom
kernel. The order of calling packet filtering modules depends on the order
of registering the modules to packet processing hooks. Instead of loading
the modules by their respective startup scripts, you can load them in the
required order by including them in /etc/rc.conf in variable kld_list. I do
not remember if the order of calling is the same or the opposite of the
order of module loading.

Martin Beran

--000000000000314f7705c872bdb6--