[Bug 212331] pfil processing order

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Sep 2 12:30:02 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212331

            Bug ID: 212331
           Summary: pfil processing order
           Product: Base System
           Version: 10.3-STABLE
          Hardware: i386
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: srijan.nandi at gmail.com
                CC: freebsd-i386 at FreeBSD.org
                CC: freebsd-i386 at FreeBSD.org

Created attachment 174315
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=174315&action=edit
Packet Capture

Hello Everyone,

I am running FreeBSD 10.3-RELEASE-p7.

The setup that I have is, that I have 2 WAN interfaces and 1 LAN interface. I
have configure both IPFW (for Traffic Shaping and Captive Portal) and PF for
all other filtering and nat rules.

em0 - LAN
em1 - WAN1
em2 - WAN2

My scenario is that as soon as a connection is made to a website, IPFW catches
this port 80 traffic and redirects it to a Captive Portal listening on port
9000 and then after authentication is successful via Captive Portal, the
traffic is then passed onto PF for further processing.

Here are the relevant IPFW rules:
1. For Captive Portal
[code]
add 5000 fwd 127.0.0.1,8000 tcp from any to any dst-port 443 in via em0
add 5000 allow ip from any to any dst-port 443 via em0
add 5000 fwd 127.0.0.1,9000 tcp from any to any dst-port 80 in via em0
add 5000 allow ip from any to any dst-port 80 via em0
[/code]
2. Allow authenticated traffic to PF
[code]
add 65533 pass ip from any to any
[/code]
PF upon receiving these packets makes a connection to the website and it opens
up.

As can be see from the rule below:
[code]
pass in quick on em0 inet from 172.16.1.0/24 to any flags S/SA keep state
[/code]
Everything works pretty well.

However, as soon as I apply a route-to rule in PF, the processing order breaks.
So now, no longer does IPFW get the port 80 traffic to be redirected to port
9000. It simply passes it outside.

PF rule with rout-to set:
[code]
pass in quick on em0 route-to (pppoe0 X.X.X.X) inet from 172.16.1.0/24 to any
flags S/SA keep state.
[/code]
I require the processing to be such that for incoming traffic, IPFW should
process the packets first and then pass it on to PF. This works when route-to
is not set.

Attached is a tcpdump, explaining the same.

Any help will be highly appreciated. I have been banging my head around this
issue for days.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list