pf (rules and nat) + (ipfw + dummynet)
Kristof Provost
kp at freebsd.org
Sat Aug 17 22:01:35 UTC 2019
On 2019-08-17 22:25:44 (+0100), Andrew White <andywhite at gmail.com> wrote:
> Using 11.3 , I've been trying to configure pf with dummynet. Having ipfw
> reply traffic sent into a dummynet pipe causes pf to reject the traffic.
>
> Searching around and looking at ip_input.c it looks like dummynet reinjects
> the packet back into input and this is what causes the problem , I'm
> guessing the checksum changes.
>
I would expect both firewalls to leave the packets with correct
checksums, but I have to add the disclaimer that I do not consider
mixing firewalls to be a supported use case. I can think of several
things (IPv6 fragment handling, route-to at least) where combining pf
with another firewall is very likely to break.
> Is this a known behaviour and are there functioning patches ? I see
> projects like opnsense and pfsense have patches for ip_input.c to skip some
> of the code if it's a reinjected packet from dummynet
>
> I also see some work underway to separate dummynet from ipfw, is there any
> docs for the goals or timelines, will this allow dummynet anchors and use
> of dnctl to use pf with dummynet like in macos ?
>
This work was started by a prospective gsoc student, but they were not
selected, and I have not seen any big patches come out of it.
It's not on my own todo list.
Regards,
Kristof
More information about the freebsd-net
mailing list