Incompatibility between dummynet and PF rdr.
Andre Santos
andre.netvision.com.br at gmail.com
Sat Jul 8 13:57:19 UTC 2006
Are there any known compatibility problems between dummynet and PF rdr rules?
When I try to combine both, the packets seem to simply disappear.
Here's how to reproduce it on 6.1-RELEASE:
Load PF.
TCP connections coming in on lnc1 will be redirected to the local SSH server.
kldload pf
pfctl -e
echo "rdr on lnc1 proto tcp -> 127.0.0.1 port 22" \
| pfctl -f -
Add dummynet:
kldload ipfw; ipfw add 65000 allow ip from any to any
kldload dummynet
ipfw pipe 1 config mask all
ipfw add 1 pipe 1 ip from any to any
Up to this point, everything works well, but here's where it breaks.
After disabling and re enabling PF, the only packets on this system
are SYNs coming in on lnc1, all other interfaces are quiet (lo0,
lnc0).
pfctl -d
pfctl -e
PF rules are still in place, dummynet gets the SYN packets, but then
they go somewhere where I can't find them. tcpdump on lnc1 shows only
the SYN packets coming in, all other interfaces are quiet.
Could somebody please help me find these lost packets?
Thank you!
If you invert the order and load ipfw/dummynet before PF, the
disabling and re enabling step is not even necessary.
The ftp-proxy in OpenBSD >= 3.9 creates rules that don't need the
disabling and re enabling step to fail. Both active and passive data
connections don't work.
# ipfw show
00001 401 36224 pipe 1 ip from any to any
65000 0 0 allow ip from any to any
65535 0 0 deny ip from any to any
# pfctl -vsn
[ ... no ALTQ support ... ]
rdr on lnc1 inet proto tcp all -> 127.0.0.1 port 22
[ Evaluations: 779 Packets: 85 Bytes: 5013 States: 0 ]
On systems that have ethernet interfaces only, I can work around the
problem by running:
# sysctl -w net.inet.ip.fw.enable=0
# sysctl -w net.link.ether.ipfw=1
More information about the freebsd-net
mailing list