[Bug 272094] pfilctl IPFW hook order not works with PF route-to

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272094

--- Comment #1 from Kristof Provost <kp@freebsd.org> ---
> I am currently using both IPFW and PF at the same time. But some will say this is a bad idea.

Mostly because it is. As far as I'm concerned that's not a supported
configuration. Maybe you can make it work, maybe not. Either way you get to
keep all of the pieces, at no extra charge!

> I think the packets that first hit PF route-to are sent directly to the output interface.

Correct. pf_route() calls ifp->if_output() directly and the packet will not be
seen by another firewall. This is one of the many reasons that running multiple
firewalls at the same time is not recommended.

You may be interested to learn that from FreeBSD 14 onwards (i.e. current main)
you can use dummynet with pf, and can also do basic layer 2 filtering with pf.
No doubt it's also possible to implement captive portal entirely with ipfw.

tl;dr: You're on your own with this.

-- 
You are receiving this mail because:
You are on the CC list for the bug.