pf (rules and nat) + (ipfw + dummynet)
Andrew White
andywhite at gmail.com
Sun Aug 18 12:15:31 UTC 2019
On Sat, Aug 17, 2019 at 10:51 PM Kristof Provost <kp at freebsd.org> wrote:
> On 2019-08-17 22:25:44 (+0100), Andrew White <andywhite at gmail.com> wrote:
> > Using 11.3 , I've been trying to configure pf with dummynet. Having ipfw
> > reply traffic sent into a dummynet pipe causes pf to reject the traffic.
> >
> > Searching around and looking at ip_input.c it looks like dummynet
> reinjects
> > the packet back into input and this is what causes the problem , I'm
> > guessing the checksum changes.
> >
> I would expect both firewalls to leave the packets with correct
> checksums, but I have to add the disclaimer that I do not consider
> mixing firewalls to be a supported use case. I can think of several
> things (IPv6 fragment handling, route-to at least) where combining pf
> with another firewall is very likely to break.
>
> I agree, mixing firewalls carrys risks, but afaik the only current way to
use pf with dummynet in freebsd is to mix with ipfw. my use case is simple
and would only cover basic permits to route into dummynet, so I would hope
some of the edgecases around frags etc wouldn't apply.
A sample patch (that doesn't appear to work for me) is
https://github.com/opnsense/src/commit/7514cc670601b566f30e0386ef8885660a27aa5a#diff-f038606be7fc68e05878b9cdbb32e21f
I'll debug a bit more and find/write/modify a patch to see if I can address
it.
> I agree, mixing firewalls carrys risks, but afaik the only current way to
> use pf with dummynet is to mix with ipfw
>
> Regards,
> Kristof
>
More information about the freebsd-net
mailing list