From nobody Sat Jun 3 10:09:28 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QYFw84l7Vz4ZCDR for ; Sat, 3 Jun 2023 10:09:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QYFw83jgbz3NmL for ; Sat, 3 Jun 2023 10:09:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1685786968; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cxzCe/YfmjKjlZwEcLp/jANapVrXUmmCyHPDVZjqVug=; b=Bbc2U5W3HCWjzWYqrHUUV+DClBM3SwT1FLtNDJ0BkCZKDpBWCsMhdjEmaHsVcJsPENuHm3 wxvAuz6oX3vvp1OzHemqAu63l4/gmDaeBe19f99GEZV5VxKWswgOOnAstdz/uAiqRZ1UdI Nlklm1a3QZkXUmmyuIsKqTkMUCaKctdh3kQnXgGrjM4thl1oCaTnraYb0z8PaaqwKGloLF 3gLhP3kkhHr0ns78pwc/XYYpV6tZ8aPXPgjhS/jyctUq5SxVov8BV+QbK7M767iMOBOIna vJMvxA77ARzzuVcPDPVvW3UhPfN68A7gA/twhGaquIc7tv+6zmImPQIh3yCd5w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1685786968; a=rsa-sha256; cv=none; b=wlHfCerPKKjc5+hqhBVekB8Pj9B3Dwt7Nf1Lzyckl+ydrlU12nRRxozo3z65YNqJHq1DDY oX5LW+8OIQVo71/CknXcqNYl6lUoa8hoBdCWFMChspO1SX+2QehQdcJTIUbZ7RNhsH2yv7 66KLMqjuC3NCUHevnjx3RwJ5Igwm2iYk/1yJaQiLwUYxKMHn694nsZBFT5hzHHNPLo8EoJ qiX1HR76cYCl8TrW8o4aQz0XGA4u39aRdDW2j0YMIqEdpQ2J/mTijDghr1XgY2pETEtEMM tJVOeGuGV9g64frr/mmEwOKPhkQ8NWMSsz7zLP5xPpUXpXt50brg616Kky06SA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QYFw82Z1KzM9q for ; Sat, 3 Jun 2023 10:09:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 353A9SKK020425 for ; Sat, 3 Jun 2023 10:09:28 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 353A9Sso020424 for pf@FreeBSD.org; Sat, 3 Jun 2023 10:09:28 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] [ipnat] rdr rules don't work for traffic originating at localhost Date: Sat, 03 Jun 2023 10:09:28 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #33 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3D4a6b92849e619c40ca9a78d38339798f2= 735ec56 commit 4a6b92849e619c40ca9a78d38339798f2735ec56 Author: Doug Rabson AuthorDate: 2023-06-02 15:58:33 +0000 Commit: Doug Rabson CommitDate: 2023-06-03 10:07:56 +0000 pf: Fix tests broken by enabling inet-local filtering Summary: Three of the pf dummynet tests were using filter rules which matched both the intended epair interface as well as lo0 which now receives PFIL_OUT events for messages delivered to the local network stack (if enabled). This commit changes the rules to match only for the expected epair interface. PR: 268717 Reviewed-by: kp MFC-after: 2 weeks Differential Revision: https://reviews.freebsd.org/D40393 tests/sys/netpfil/common/dummynet.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sun Jun 18 14:27:18 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QkZwk2d6gz4fJPK for ; Sun, 18 Jun 2023 14:27:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QkZwj6yy2z42Pw for ; Sun, 18 Jun 2023 14:27:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687098438; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nDgp2YwnSn6eN/IKTDYkcSesk0rRudpnTHtRfmax3VU=; b=QBATqh/D05kGrb2BeRQmBzcku4r4+fKpzpDOgtuZUrgw4gawGjaI4iqlYlhTfnIGvEH8AG q1pBEkrodrq8mStQ+EblMnkWy+mAHJ2pbjDeYy3R+yvTjd+E0K4d6ZfhXVRxWK8eUkleJF ZcdEG2WVVI1aw2+GqymLoKWVFvtOidXUpzZWHn5aR5zUHm+35jQCpdTkU4naF5VnVcd0IB Kg1TC34NkMze6HNRLgi02yB2FSecAJi49Yg7BpNFu9OD6CwWQCdFRHfTYCgHtpHiX451O2 LPeaPI2Wf5kw1yHSHL43gaOG2HLtSUhJTwPMa4lZXQmR+BG3x7ZIteFeXoc0kg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687098438; a=rsa-sha256; cv=none; b=WuUncFaKA4yfzrhetVB+W2yULxZ96VvLRFQ0qU0bub4j79esRNOy/T6a/WWUN/Yk7mcVOe KMYQRE1xvD6tz2mdQngOsXhkYb3u1fbzZ8SPFHOo9DcrATaTvbcclZJDMEcGX5tXk0Qo6E FUoOf/8hxUEv/gKwar4wlehMVXmIHEuY5pVGBPThrt0vgWd+oC48OgruRjzDLZEWqen403 0Wt6t8lL/XqUpBp5D8NScsqV7MH1/3SrJsHv4ZfSjHYjQlx3GG43gCI0ZZxpeo5IqiW6P5 uPgKQObuPoCA8vh8oT9meHB4q1QCsSPiWrQs9VkODotgKSgm92rmOsILpHl/Jw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QkZwj61yJzfZv for ; Sun, 18 Jun 2023 14:27:17 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 35IERHQx038888 for ; Sun, 18 Jun 2023 14:27:17 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 35IERHfk038887 for pf@FreeBSD.org; Sun, 18 Jun 2023 14:27:17 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 271550] Fatal trap 12: page fault while in kernel mode // pf_route6 Date: Sun, 18 Jun 2023 14:27:18 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.2-RELEASE X-Bugzilla-Keywords: crash X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: markj@FreeBSD.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: DUPLICATE X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271550 Mark Johnston changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Open |Closed Resolution|--- |DUPLICATE --- Comment #4 from Mark Johnston --- *** This bug has been marked as a duplicate of bug 268400 *** --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Tue Jun 20 14:18:54 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qlpf74VLPz4fhkq for ; Tue, 20 Jun 2023 14:18:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qlpf735Xjz3yf7 for ; Tue, 20 Jun 2023 14:18:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687270735; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=HhwxGGLAOAiZeR/2WG0NT+iYuXnnsNBki7Z4jo+ksfw=; b=OJ/ye9DsEVkpI4lzMqsd/SFEhG4G27ckyrUspjQAAW6XjnBPCkz4nerXYQFWNpPLjYQoej UREBp5/YPi75HCnE9rXEQZP60CVMjpcZ/BdcuQWanaHNvi2VLUiBZrklkrx/xpKhOL40uF JtgkXefLQ6z/7dwvXI2NSfa4dLXIL4cd8FUVuQsr0vhcPWQ3CEREOVk3PD3sNxAshEq4Jm pIZzIn06cWWuJ9+TA3xv9JixGunWZXYhOMblfOawiAptgsWiNqbVrlGwpetw7s5hxDLs1j RX8mLSXTS9Ng1moVLIetyAuaCqI6b7cS9jkSFb6pDmF8mRHqFJ7R0P4HNaTcnw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687270735; a=rsa-sha256; cv=none; b=w7FJpYZqYXpT9NRsbZkyK7lsbAD3yNRUj27RkhPJW0NuurBnFOo5nH6BU4CrMlxLz7/D8q 8Ha8uHMR/gbx5rqfmv3zcY75OBA1hJV6HQbpXKANHyOtdbKfNqxZkwGPrEoE5M1V3vhXdL tncv2GWDHYnqI7vondo/pt64nW1OW2MwSbQcljjYrIEIiqP9HrwmZYhVjKFf2d+bMAzc5Z FI2jN05FBNC84bn+KwBS8T3F6R3UcgA687aJD0iwy3AN9yxacVnYwYUNPN8kuISUEUTFQO 7Ftp9amoEGziSVkJWL6Bwovck4M0jCP2ZT+V0p0xAFZidszxSt185g/W9oH5lw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Qlpf70pf9z12mY for ; Tue, 20 Jun 2023 14:18:55 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 35KEIt6t022027 for ; Tue, 20 Jun 2023 14:18:55 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 35KEItGQ022026 for pf@FreeBSD.org; Tue, 20 Jun 2023 14:18:55 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 272094] pfilctl IPFW hook order not works with PF route-to Date: Tue, 20 Jun 2023 14:18:54 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: burak.sn@outlook.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter cc Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272094 Bug ID: 272094 Summary: pfilctl IPFW hook order not works with PF route-to Product: Base System Version: 13.2-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: burak.sn@outlook.com CC: glebius@FreeBSD.org, ipfw@FreeBSD.org, kp@freebsd.org, pf@FreeBSD.org Hi i have created a simple captive portal using IPFW on my FreeBSD 13.2 REL= EASE machine I am currently using both IPFW and PF at the same time. But some will say t= his is a bad idea. I used IPFW for captive portal, bandwidth mgmt and any other Layer 2 filtering purposes and PF for general firewalling proccess like blo= ck, NAT, route-to. #212331 this bug references same error but based on FreeBSD 10.3 My problem: when i applied both captive portal and PBR rule on igb1. IPFW fwd cannot redirect unauthenticated users to portal page. I think the packets that fir= st hit PF route-to are sent directly to the output interface. So that traffic = not hit to IPFW. So i tried to use newly implemented "pfilctl" tool to change PF,IPFW hook order and I tried every combination but with no luck. I am awaiting your kind responses // FreeBSD's Default PF first in hook order # pfilctl heads Intercept point Type inet6 IPv6 In pf default-in6 In ipfw default6 Out ipfw default6 Out pf default-out6 inet IPv4 In pf default-in In ipfw default Out ipfw default Out pf default-out ethernet Ethernet In ipfw default-link Out ipfw default-link // My IPFW first in settings pfilctl unlink -ia ipfw:default inet pfilctl unlink -oa ipfw:default inet pfilctl unlink -ia pf:default-in inet pfilctl unlink -oa pf:default-out inet // i tried every combination on linking pfilctl link -ia ipfw:default inet pfilctl link -ia pf:default-in inet pfilctl link -oa pf:default-out inet pfilctl link -oa ipfw:default inet Intercept point Type inet6 IPv6 In pf default-in6 In ipfw default6 Out ipfw default6 Out pf default-out6 inet IPv4 In ipfw default In pf default-in Out ipfw default Out pf default-out ethernet Ethernet In ipfw default-link Out ipfw default-link // ROUTE-TO RULE=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20 pass in log quick on { igb1 } route-to { ( igb0 192.168.30.1 ) } inet = from { any } to { any } --=20 You are receiving this mail because: You are on the CC list for the bug.= From nobody Tue Jun 20 14:36:08 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qlq205m49z4g3jS for ; Tue, 20 Jun 2023 14:36:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qlq204L4pz47Hl for ; Tue, 20 Jun 2023 14:36:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687271768; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=j9aq6TvGhTzAG6j4ilhDNBXShZKKnyQJ5BSNSpV5wwY=; b=LZ6llOiVZp6BVZnO+Yj3+TzTXfroZe6R4lw8XJUO2Iiib1NW8WhQGyvPUrh7vkvkp0TUdD /YFSvKl+stkvnJoTJyYPVF3FMGf4rC6IjKZNZ9SI5EEB4AJ5Efy/bvDSS+F0wqxKmmcFLH X5pXfPjgN4O+WVELYi/01sVN4w1JH/R9Le+FKXA9Di8QsTTAxeZ2C5LbVhxNILwJWBhD5F LcnnPKjN5T8JuLa1gaE5oNC2T788nJZNGn/QsCcPVMxZ3jR6WoSM6KFaoraANivE+612PR 4oKe2WNtjjWhrTSEvp56/wEij4I7KFonrXKvfKSiw+TdLMy6T/MjpLGGrSlPjA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687271768; a=rsa-sha256; cv=none; b=o8j6/0e7ryXopHUCUjnI3s2IXxaTQl8s/X9rn5fghwkZpHVV4+aHtGGQ01c0TB1ItX4gR1 DaxeR/J7kuZ9lTWmn5mqp2/aHDI3q+3QxYZlp5s/R+yySUSBT+B7uyJ6VA1hIJMuFg4Wqd pQBenPV7HFbxSeRyU6yRypUR6QSC3qjh1TOPe+bxmuOColOpy8yWHZHl1m5k/c29pnF01D UvSNscOWyXCNaq5NCNu9STWODIH6Mh1/ygn7YlUIR/+tFBA/Otu+m4OC5zubO/ARcNjHG6 1gU7Mc50uXp+afYQW0NX1WTsFz9bnPTUhMDIZJBreOhiqWJYT7+no3EO8O+hvw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Qlq203L6hz12r1 for ; Tue, 20 Jun 2023 14:36:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 35KEa853050234 for ; Tue, 20 Jun 2023 14:36:08 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 35KEa8jO050233 for pf@FreeBSD.org; Tue, 20 Jun 2023 14:36:08 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 268717] [pf] [ipnat] rdr rules don't work for traffic originating at localhost Date: Tue, 20 Jun 2023 14:36:08 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D268717 --- Comment #34 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3D3a1f834b5228986a7c14fd60da13cf270= 0e80996 commit 3a1f834b5228986a7c14fd60da13cf2700e80996 Author: Doug Rabson AuthorDate: 2023-06-20 13:01:58 +0000 Commit: Doug Rabson CommitDate: 2023-06-20 14:34:01 +0000 pf: Add code to enable filtering for locally delivered packets This is disabled by default since it potentially changes the behavior of existing filter rule sets. To enable this extra filter for packets being delivered locally, use: sysctl net.pf.filter_local=3D1 service pf restart PR: 268717 Reviewed-by: kp MFC-after: 2 weeks Differential Revision: https://reviews.freebsd.org/D40373 UPDATING | 12 ++++++++++++ sys/netpfil/pf/pf_ioctl.c | 20 ++++++++++++++++++++ tests/sys/netpfil/common/utils.subr | 3 +-- tests/sys/netpfil/pf/fragmentation_compat.sh | 3 ++- tests/sys/netpfil/pf/fragmentation_pass.sh | 3 ++- tests/sys/netpfil/pf/killstate.sh | 24 ++++++++++++++++-------- tests/sys/netpfil/pf/map_e.sh | 3 ++- tests/sys/netpfil/pf/pass_block.sh | 3 ++- tests/sys/netpfil/pf/pfsync.sh | 1 + tests/sys/netpfil/pf/route_to.sh | 3 ++- tests/sys/netpfil/pf/set_skip.sh | 2 +- tests/sys/netpfil/pf/table.sh | 6 ++++-- 12 files changed, 65 insertions(+), 18 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Tue Jun 20 14:37:46 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Qlq3t6HWPz4g5gZ for ; Tue, 20 Jun 2023 14:37:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Qlq3t53R5z491L for ; Tue, 20 Jun 2023 14:37:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687271866; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=g+QREKX+OWaBL6yPZJzuGfD2wQq8Zv4ef6nqr9tLpu4=; b=riU+Xn/WwFXFg221alw7D38P/lJpBwu/4agYasWumF4mITzJa/ft6NE3fSltP7GhQBCAUX /jdSsUOPj91HJolHssn8rPrM9kX/1TgXSWIkFpo0b6keFrbQPx67czB9IHwgH0+LfXO1WX W1as6Ed+80XgNi6e9SxeQw6qv9D44bij2TTWupYigbmUgPUnTcsMm2yPnlSoyN5R84kZo8 32hO0a4+o8L9hSeRJhcUFtVAocRQZ2p9oBSDMgUQbbpfjaq11AGT3ODDxsBbsgEl4Se0vg ntKAY3i+fcExRDLMpOuFXMDd8ipiqgfBIzpjNR0C/QTPrECsg6P31nWiVelavA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687271866; a=rsa-sha256; cv=none; b=I1hrp8Hod/xRTr0VZI+J+25eWM72Px3jOKEt7ObGyof7C2Qo+paviWWR91Rv4D9SdCm17W e5MclKWdlkQZ7klotEe090RgvqcH/USn1JAhcWVCvygKJXjEYZppzQP8/yH0Wj6UCZZ+rW AHIsWO64Y7gEkd7KfA5Skqw1YRkz3bmeVEEFRKXnme8vUXbqfHTNJwGaaGl//YsBtaZnBI NEHeijEMgPb0vfhI/95EmdjWjJnMCAJPxaj3Z9KyOFAy6vjpO1ifLMlBTeUVmJS734UQxb QFgsCPD7/IYNmFc402BR2+TP7kDJBUd2jumGSyXzHpgca9Tw6f9J4iLPo2dbcA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Qlq3t48Qsz13GJ for ; Tue, 20 Jun 2023 14:37:46 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 35KEbkrD050807 for ; Tue, 20 Jun 2023 14:37:46 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 35KEbkWR050806 for pf@FreeBSD.org; Tue, 20 Jun 2023 14:37:46 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 272094] pfilctl IPFW hook order not works with PF route-to Date: Tue, 20 Jun 2023 14:37:46 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272094 --- Comment #1 from Kristof Provost --- > I am currently using both IPFW and PF at the same time. But some will say= this is a bad idea. Mostly because it is. As far as I'm concerned that's not a supported configuration. Maybe you can make it work, maybe not. Either way you get to keep all of the pieces, at no extra charge! > I think the packets that first hit PF route-to are sent directly to the o= utput interface. Correct. pf_route() calls ifp->if_output() directly and the packet will not= be seen by another firewall. This is one of the many reasons that running mult= iple firewalls at the same time is not recommended. You may be interested to learn that from FreeBSD 14 onwards (i.e. current m= ain) you can use dummynet with pf, and can also do basic layer 2 filtering with = pf. No doubt it's also possible to implement captive portal entirely with ipfw. tl;dr: You're on your own with this. --=20 You are receiving this mail because: You are on the CC list for the bug.= From nobody Tue Jun 20 15:34:04 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QlrJs3Qmxz4gC7H for ; Tue, 20 Jun 2023 15:34:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QlrJs29Qtz3kDv for ; Tue, 20 Jun 2023 15:34:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687275245; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nzf8M8VTr1kAkLvNuxVraiuibW+w05hBJiWogVZYCGE=; b=HcEp6ZRhE0w0pJhQ5Gm9J+Qng6keuZ67nWXXeb5iWjoM3tuovQolbA80CBiVS4JFxsFGkz KBeDgvZm07OeGPDaDrYGIiuIdNI5mkzUlyTfMGx6vqHSn/R4Oa6f7JAJxFQIR/WRSgTtIr 5WWBI6EjTlFImSSguuKiOYb7eKMrSaHFhULEjuKq4lUIw7hFvE0GuMBSmhlANXSz+tfypg pYWsa05R0ZXHgY8dQ9Y2ac4aY/om18+Y9UH4eVcHO8gI8eNxSfOByq/b1LJSLLuZPd4yyD NhlJhe5PhC2OfjSp2UVudeg5sm5sAXQ0M8jftES8O1VqbHd3bwC2w19hIyPtRg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687275245; a=rsa-sha256; cv=none; b=hB5affxE19kT+m+dkguHcegqswfvLfM3BS7d9UxX3bhuFDjc2vGW+mgILeDz71pFdwBZAk CJw9Zilm+OMGPt6BHglzEOHZSJRyyPdGZiOLKFWges25sE0cFZZHa4meQTjFjQ+6YFFrEo ZjI4/hwAiX/bdOH1NiyFSbDU7+8llQ9teZtv1fOozqKObPbdZU7GYrv2kb1bZvO/iorvfn RLRHFIRqvCQM3F6Mgf1Rb5UWSPXcYjBpboLjXGASdsRQNVy7uzbpsyd8CewfraTjNrrNgw lSDhaYhW0gqqNP8IbmtHhatmV9fsFm/1jvyp/7SJ3Ps7J/XgrOx9VO2XEjc6mQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QlrJs1FyMz14ln for ; Tue, 20 Jun 2023 15:34:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 35KFY5pj035144 for ; Tue, 20 Jun 2023 15:34:05 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 35KFY5ro035143 for pf@FreeBSD.org; Tue, 20 Jun 2023 15:34:05 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 272094] pfilctl IPFW hook order not works with PF route-to Date: Tue, 20 Jun 2023 15:34:04 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: emaste@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272094 Ed Maste changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |emaste@freebsd.org --- Comment #2 from Ed Maste --- @kp I wonder where is an appropriate place to document that combining firew= alls may not have desired results. pfil.9 seems to be the only general page (firewall agnostic) but a section 9 page isn't right for this. I guess firewall.7 should be rewritten to describe pf (and ipfilter) as well as ipf= w, and then this issue could be added there. --=20 You are receiving this mail because: You are on the CC list for the bug.= From nobody Tue Jun 20 16:49:05 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QlszQ0ybzz4gggJ for ; Tue, 20 Jun 2023 16:49:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QlszP6b3kz3Ngt for ; Tue, 20 Jun 2023 16:49:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687279745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=x6NbtxF7Lx5K37Kfp57DN2XQlM5k8I2zhum0hqQSaKQ=; b=QMrIF78ja2GkO4vbMSlVqwMFHU3VcJu0xTQJmvOUPYxQGqBwaEITV4rt4j3a6ci6Vmi1GG QiyOpxACqLVFWXFSBRzTxbEnyvPW2lQEdgX8Lv9S0+Ua8gkAFbmChn9c1pXNMOeQzF2vGe T4P/Iqy03IhJDaF3YuPgTyh1Kd3LzHFFkUjTh+dJ6I3acIN9aKOmYqFl5Q+8DUJCNd11es 4Wma/mnsLSL+Nqps5G/dOB4diAOZ0h3dCce/5DrDtcL1R4IxLSB0HmuaIjxDbuf0hv7eR8 rpfLj7Hs3/G8KG1wbXgr6tI/4E8I4VRHlZQOCiFabxvH4bsj6FMzO91YUKtNaA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687279745; a=rsa-sha256; cv=none; b=N2kAuqzbFrz/ljd00PeAHk6bkVcmdIRSplgpyhwPP8aTaX1fjnd5ihOuKUAz8ku/4aCWjU CvXyMm8Bx3ZttusA0f9CGvvZkNsvpttgEyspspb0cBAW8lscDXIRczUOH+JBA73qbDQTK4 qB9HHp6b/f7x3caUFy6/DWZZam0LpK2KUW8y+PmPeQH489QjSC3ZYgcuOzaFVBksWbopTI CKFh7BZiJyb9fQN12M/q4RCFBkE0eVlzT1yaKLdVM3b9Yr/yAl2ZDz4fTUvSYjqXZtyRx6 i/NQAZsLAFGbmAG5su3zpxp1nt6XWTwhMNf96UNMuc8MAfQDzLlkGPXn5a7dgw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QlszP5XfPz16X0 for ; Tue, 20 Jun 2023 16:49:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 35KGn5Ic043464 for ; Tue, 20 Jun 2023 16:49:05 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 35KGn55n043463 for pf@FreeBSD.org; Tue, 20 Jun 2023 16:49:05 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 272094] pfilctl IPFW hook order not works with PF route-to Date: Tue, 20 Jun 2023 16:49:05 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: freebsd@igalic.co X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc bug_status assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272094 Mina Gali=C4=87 changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |freebsd@igalic.co Status|New |Open Assignee|bugs@FreeBSD.org |net@FreeBSD.org --=20 You are receiving this mail because: You are on the CC list for the bug.= From nobody Wed Jun 21 14:00:50 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QmQBq1wGVz4gW6C for ; Wed, 21 Jun 2023 14:00:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QmQBq0W6bz434g for ; Wed, 21 Jun 2023 14:00:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687356051; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=NwAgg9ofiRLWotnmZrlNZst7mgAKgbmzTJKmpVSkDH0=; b=VAu5yoeY55TXuPRQSReXlkayYmBXS5tydJ6XP34FdwRk05mcbiVpHupJAyh/W879vU2wWJ fPydOWvZzG8alpV42K+gS6WxjgNSj+c54JWNF1FhRIE3EbNs8JpmnAStDJeBcZ4Xrt8HJm +rolKriR7T7TNRzpp+GuirRtJxgTu5/hRdwwJKqowbKZJlJucscw8twIlqrse2oHfVHzrx OfKj8hgGaCtPW8Bld7X4CanVrows5QskdhP3uuvEXgYInT7u1/RP4jyXBgDZWqq4nQMcA6 VS6ZDDQnm3VwKOyJgoMzqFQlY/7Rkj+XjCjljxvIo0capn8GqFKIXkl8Rz8RlQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687356051; a=rsa-sha256; cv=none; b=d00GE4X7BkXG3ywcuTkCtPMPURolg9uA/GuNqBmx6LC0s+ZPQSsmKT3SvUTPCPjGwRgtEO XAhwMif08aHz1Fhov1dX/uyw9kVg2uAhgAMUqUmyoeDwi5UFZ2gVhpwF8X46We55CENVxL KD5YUrHhc0CHP3CqzS5OwKT9dt2k2iDakwynkewyq9ygo/HT1E6haeO5lhPFkR9WfYO7KS YaJzuE/FHnThPAAuCueSdnmGGd+REJJWa7p90Rg50Y/iXqbmJKhlbfbMEBIZTfbIBArl4K 5S1TTT4mJ2impy010vDlgiVD3LS4S8deh0zcKaLQXTmp4T/+G3fLwOz7RJfjFQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QmQBp6kKtzkgL for ; Wed, 21 Jun 2023 14:00:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 35LE0o1a035209 for ; Wed, 21 Jun 2023 14:00:50 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 35LE0o3G035208 for pf@FreeBSD.org; Wed, 21 Jun 2023 14:00:50 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 272094] pfilctl IPFW hook order not works with PF route-to Date: Wed, 21 Jun 2023 14:00:50 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: burak.sn@outlook.com X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272094 --- Comment #3 from Alfa --- (In reply to Kristof Provost from comment #1) "you can use dummynet with pf, and can also do basic layer 2 filtering with= pf. No doubt it's also possible to implement captive portal entirely with ipfw." I am also using ip_divert with ipfw because PF divert-to not works as expec= ted #260867 this bug references divert-to infinite loop problem this bug still exists "Correct. pf_route() calls ifp->if_output() directly and the packet will no= t be seen by another firewall." Sorry to bother but i am confused about PFILCTL tool, to make it clear What= is this tool's main purpose? --=20 You are receiving this mail because: You are on the CC list for the bug.= From nobody Wed Jun 21 14:16:40 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QmQY55njVz4fgwc for ; Wed, 21 Jun 2023 14:16:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QmQY54YR0z4Gv4 for ; Wed, 21 Jun 2023 14:16:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687357001; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WTWPz0We2jg5EaeBBucitjGNfS9tUaw0+XjICwX21P0=; b=szvw+n+x/PS4IZETLyZ2UVQk6TgeRT+OjY51ZDMzwbew2rCiWvoMz+D5MKoWn0Cxx5Iyns Gyfu1pqmiA9JlIAUupJALvuCMIzsgeUPgW8ao6PgR7YxYVF+wDAcN6qiUHFH1uGLAkxEk6 g0T8nkPMrWsarCjVh4iCy3zxVgap9kk0jwwYO42c+zlOwNdF/NlMqoBbl+OtH9ZlUazY+T 2ZPH5uBvXnaez+UqtAYppWqfwYxoCLKcXo424TcWlLPndzgQNxF9NcolwrstG4EiCDMXuG cWGQclF6m0fHijqdY+jGomraNw/D9B6vjxSYKuAdLkRrYlvXtPLcFcw/PaqnUw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687357001; a=rsa-sha256; cv=none; b=r5QKHPXT89vPKfeiBorqOLN9z7B1VkV9po66kypc5FHpy5HDLm7IZBE8s4wA8/g6oTP32c QJTIccjwZ7Ebd8URJDvNOb8ZiPCfxfsUPnm6juDt13oaCYw2pkmiUm5/ql7bIzhPGvS6ZM bE2ZkradG+AuMjBoZ9PsiqEQuqcuuq1VOcP1Fuuf2p/mlxsIpCpnoHsOqoGbog0dU9L5Wm u19pPc6CKyrfwND0lxvsQWGf33O9NIGTLVQD65y2EX4Yh+ASePZzV8v0OnFpxivZHOIIF/ BaqQLTKNE1E+xaRwr5NYC9z3uAcnIIlyQWmmpen412iZyMLJGcH7I2EDb+Rt0Q== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QmQY53gb5zl4V for ; Wed, 21 Jun 2023 14:16:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 35LEGfgO066345 for ; Wed, 21 Jun 2023 14:16:41 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 35LEGfGq066344 for pf@FreeBSD.org; Wed, 21 Jun 2023 14:16:41 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 272094] pfilctl IPFW hook order not works with PF route-to Date: Wed, 21 Jun 2023 14:16:40 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272094 --- Comment #4 from Kristof Provost --- (In reply to Alfa from comment #3) > I am also using ip_divert with ipfw because PF divert-to not works as exp= ected #260867 this bug references divert-to infinite loop problem this bug = still exists I don't remember that bug. It's not on my todo list. Perhaps you can get ip= fw to do everything you need. > Sorry to bother but i am confused about PFILCTL tool, to make it clear Wh= at is this tool's main purpose? https://man.freebsd.org/cgi/man.cgi?query=3Dpfilctl&sektion=3D8&manpath=3DF= reeBSD+13.1-RELEASE I don't actually know anything more about it than the man page. If that's n= ot sufficient I'm afraid all I can recommend is that you look at the code. --=20 You are receiving this mail because: You are on the CC list for the bug.= From nobody Wed Jun 21 15:36:53 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QmSKf2jWhz4g6hp for ; Wed, 21 Jun 2023 15:36:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QmSKf1jYGz3xtq for ; Wed, 21 Jun 2023 15:36:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1687361814; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ElPpbXn3osMbzQdz+UsW1SnbymbxcZ/kymrlwOTYqCo=; b=aKJ2PNHAnczAAa8UlmV9yKmh9MEOcH207HAz5nt98o8C8LiHD9ddXzSGVShTx5tYePMp+p ePYumZgHapJg5fDw3Kgpkc2l8xqih/LXOxGScVlMFUDoYLlivDOyKqA5xR1vhYRjf6w78Q tS2efsNWpyrKmBzhoshMmDUYbzGn1KG6s459pWaFTnufhC+d11wEAVTR943I/TDnDsfe75 YaiZaF8PecwfpTkzDG3K+q9+IEQzjo4H+fIN5JMg9tIOI0j7/yG64xZzOB2PJfYHWiivU4 5vTRZolx+qe5oNttghNMT0919tkZfUVPqe+22w6TKnkSiFoUXn9UH7BHwt/B6Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1687361814; a=rsa-sha256; cv=none; b=SgdwwOJRZjTbyhFe7jMq8BdRL4aipKCZ31IR3XMpjRKxObzmkTMZsPCEUJYd5eo894q+IQ a6RQQdDUIoauswFuabek8y4xkkRah1zyQcSrIY1qTjWlI4d98rV4U7PSUtVRoPD/K4Yuj9 t7puhrlnj70JHi5RtWhokOU9ofdYuOjH3PCI9uNU/p5wn4FFTWIUi8KObqCnSKDKibXBOs OtGOX/pycA4p+VBfvxKXdjsDYRDz1ilKwY6Ca6ioWkDZuBZ+3eNDCzUGoh2rcdA96B7ceh qXQrWlFtwBim1qDBUxxUYm0ixaD6FzKpgk9TVo/QJa/h7b3FTRyKVJL0Xx2RXA== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QmSKf0jKVzmlR for ; Wed, 21 Jun 2023 15:36:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 35LFas21080146 for ; Wed, 21 Jun 2023 15:36:54 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 35LFasH3080145 for pf@FreeBSD.org; Wed, 21 Jun 2023 15:36:54 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 272094] pfilctl IPFW hook order not works with PF route-to Date: Wed, 21 Jun 2023 15:36:53 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: glebius@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: net@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272094 --- Comment #5 from Gleb Smirnoff --- (In reply to Alfa from comment #3) > Sorry to bother but i am confused about PFILCTL tool, to make it clear Wh= at is this tool's main purpose? To change how firewalls are hooked into the network stack. Sorry for obvious answer :) A more practical answer: - Somebody may want to filter only on input, skipping any filtering on outp= ut. - There are some drivers that provide a NIC level hook. This allows to unho= ok firewalls from default path and hook them on the NIC only. First, these NIC level hooks allow to drop packets at a much lower cost. Second, you can bui= ld your firewall based on interfaces, very much like Cisco or Juniper do. - Although running a stack of firewalls (pf, ipfw, ipfilter) is not somethi= ng that is supported or recommended, some people do that and some configuratio= ns (apparently without route-to) work excellent. pfilctl allows to reconfigure= the stack. P.S. We probably should enable interface level hooks in general, for those drivers that don't support NIC level hooks. That won't provide a packet drop performance gain, but will allow to design router-style firewall with any N= ICs. --=20 You are receiving this mail because: You are on the CC list for the bug.=