DIOCNATLOOK fails with ipfw
Hooman Fazaeli
hoomanfazaeli at gmail.com
Mon Dec 2 08:42:48 UTC 2013
On 12/2/2013 11:32 AM, Yuri wrote:
> I have an app with transparent proxy that should intercept all TCP connections in the interface.
> This is done with ipfw(8) rule like this:
> ipfw add 200 fwd 192.168.10.1,15020 tcp from 192.168.10.0/24 to any 80 keep-state
> Transparent proxy is on 192.168.10.1:15020
>
> Proxy accepts the connections, however, it is using /dev/pf to get the original destination and the lookup procedure fails:
> ioctl(DIOCNATLOOK) failed: No such file or directory
> It fails because nobody ever calls pf_state_insert. I see from the source that ioctl to add the pf_state is DIOCSTART, which is issued by pfctl(8), but I am not using pfctl(8) at all.
>
> My questions are:
> What is the relationship between ipfw(8) and pfctl(8)? Do they do the same? Why two of them?
> If I only use ipfw, is there a way for the acceptor to find what the original destination was without /dev/pf?
>
> Yuri
> _______________________________________________
ipfw and pf are two completely separate firewalls. You can not use /dev/pf to control/query ipfw.
Use getsockname(2) to find out original destination address with ipfw.
--
Best regards.
Hooman Fazaeli
More information about the freebsd-net
mailing list