Re: How to Force Packet Traversal Order (IPFW2 => PF)

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Andreas Longwitz <longwitz_at_incore.de>
Date: Mon, 02 Aug 2021 19:12:18 UTC

If both pf and ipfw2 are active firewalls then I change their sequence with
   pfctl -d; pfctl -e
to set pf in the first place or with
   sysctl net.inet.ip.fw.enable=0; sysctl net.inet.ip.fw.enable=1
to set ipfw2 in the first place.

To check for the actual sequence I use a hack with the help of the
kernel debugger:

   echo -n "Sequence of firewall functions for incoming pakets: "
cat > .gdbinit << EOF
p *(*pfil_head_list->lh_first)->ph_in->tqh_first
p *(*(*pfil_head_list->lh_first)->ph_in->tqh_first)->pfil_chain->tqe_next
quit
EOF
   kernel=$(sysctl -n kern.bootfile)
   test -f ${kernel} || kernel="/boot/kernel/kernel"
   { kgdb ${kernel} /dev/mem } 2>/dev/null | \
   { grep pfil_func | sed -e 's/.*<\(.*\)>.*/     \1/' | xargs echo; }
   rm .gdbinit

It would be fine to have a sysctl variable to get this indormation.

Andreas