Date: Wed, 21 Jun 2023 15:42:34 +0000 From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 272094] pfilctl IPFW hook order not works with PF route-to Message-ID: <bug-272094-16861-SPgjukj6n3@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-272094-16861@https.bugs.freebsd.org/bugzilla/> References: <bug-272094-16861@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272094 Franco Fichtner <franco@opnsense.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |franco@opnsense.org --- Comment #6 from Franco Fichtner <franco@opnsense.org> --- Two things here: 1. Having a netpfil facility accommodating for multiple packet filters at t= he same time and saying you shouldn't mix it is not a good argument, because e= .g. the ordering between ipfw/pf is easily made deterministic with something li= ke: # pfctl -d=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 # pfctl -e 2. route-to's if_output is derived from OpenBSD where only one packet filter exists. There has been a proposal for several years to change that: https://reviews.freebsd.org/D8877 It's practically been accepted back then, but was never merged. I have upda= ted code based on stable/13. I am happy to rebase on main if someone can take = this on... Cheers, Franco --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-272094-16861-SPgjukj6n3>