[Bug 272094] pfilctl IPFW hook order not works with PF route-to

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 21 Jun 2023 15:36:53 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272094

--- Comment #5 from Gleb Smirnoff <glebius@FreeBSD.org> ---
(In reply to Alfa from comment #3)
> Sorry to bother but i am confused about PFILCTL tool, to make it clear What is this tool's main purpose?

To change how firewalls are hooked into the network stack. Sorry for obvious
answer :) A more practical answer:

- Somebody may want to filter only on input, skipping any filtering on output.
- There are some drivers that provide a NIC level hook. This allows to unhook
firewalls from default path and hook them on the NIC only. First, these NIC
level hooks allow to drop packets at a much lower cost. Second, you can build
your firewall based on interfaces, very much like Cisco or Juniper do.
- Although running a stack of firewalls (pf, ipfw, ipfilter) is not something
that is supported or recommended, some people do that and some configurations
(apparently without route-to) work excellent. pfilctl allows to reconfigure the
stack.

P.S. We probably should enable interface level hooks in general, for those
drivers that don't support NIC level hooks. That won't provide a packet drop
performance gain, but will allow to design router-style firewall with any NICs.

-- 
You are receiving this mail because:
You are the assignee for the bug.