From owner-freebsd-ipfw@freebsd.org  Wed Mar  9 18:09:33 2016
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 55A66AC9B56
 for <freebsd-ipfw@mailman.ysv.freebsd.org>;
 Wed,  9 Mar 2016 18:09:33 +0000 (UTC)
 (envelope-from truckman@FreeBSD.org)
Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 3D2D0687
 for <freebsd-ipfw@freebsd.org>; Wed,  9 Mar 2016 18:09:33 +0000 (UTC)
 (envelope-from truckman@FreeBSD.org)
Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2])
 by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u29I9PEv011156;
 Wed, 9 Mar 2016 10:09:29 -0800 (PST)
 (envelope-from truckman@FreeBSD.org)
Message-Id: <201603091809.u29I9PEv011156@gw.catspoiler.org>
Date: Wed, 9 Mar 2016 10:09:25 -0800 (PST)
From: Don Lewis <truckman@FreeBSD.org>
Subject: Re: ipwf dummynet vs. kernel NAT and firewall rules
To: franco@lastsummer.de
cc: freebsd-ipfw@freebsd.org
In-Reply-To: <DA540940-CED7-4E2E-8E1D-5088A140F2CB@lastsummer.de>
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2016 18:09:33 -0000

On  9 Mar, Franco Fichtner wrote:
> Hi Don,
> 
> If you mean pf(4)-based NAT, there is a patch that originates from
> m0n0wall that handles the transition.  We're using it in OPNsense
> for that reason.  Here is the patch for 10.x, maybe that is what
> you're looking for:

Nope, I'm using ipfw in-kernel NAT, which is not the default in
rc.firewall, but is easy to paste in next to or in place of the default
natd configuration.

        case ${firewall_nat_enable} in
        [Yy][Ee][Ss])
                if [ -n "${firewall_nat_interface}" ]; then
                        if echo "${firewall_nat_interface}" | \
                                grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
                                firewall_nat_flags="ip ${firewall_nat_interface} ${firewall_nat_flags}"
                        else
                                firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}"
                        fi
                        ${fwcmd} nat 123 config log ${firewall_nat_flags}
                        ${fwcmd} add nat 123 ip4 from any to any via ${firewall_nat_interface}
                fi
                ;;
        esac

My suspicion is that if a packet matches the rule to pass it to dummynet
that it is bypassing NAT.