DIOCNATLOOK fails with ipfw
Yuri
yuri at rawbw.com
Mon Dec 2 08:02:19 UTC 2013
I have an app with transparent proxy that should intercept all TCP
connections in the interface.
This is done with ipfw(8) rule like this:
ipfw add 200 fwd 192.168.10.1,15020 tcp from 192.168.10.0/24 to any 80
keep-state
Transparent proxy is on 192.168.10.1:15020
Proxy accepts the connections, however, it is using /dev/pf to get the
original destination and the lookup procedure fails:
ioctl(DIOCNATLOOK) failed: No such file or directory
It fails because nobody ever calls pf_state_insert. I see from the
source that ioctl to add the pf_state is DIOCSTART, which is issued by
pfctl(8), but I am not using pfctl(8) at all.
My questions are:
What is the relationship between ipfw(8) and pfctl(8)? Do they do the
same? Why two of them?
If I only use ipfw, is there a way for the acceptor to find what the
original destination was without /dev/pf?
Yuri
More information about the freebsd-net
mailing list