Date: Tue, 20 Jun 2023 14:18:54 +0000 From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 272094] pfilctl IPFW hook order not works with PF route-to Message-ID: <bug-272094-16861@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272094 Bug ID: 272094 Summary: pfilctl IPFW hook order not works with PF route-to Product: Base System Version: 13.2-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: burak.sn@outlook.com CC: glebius@FreeBSD.org, ipfw@FreeBSD.org, kp@freebsd.org, pf@FreeBSD.org Hi i have created a simple captive portal using IPFW on my FreeBSD 13.2 REL= EASE machine I am currently using both IPFW and PF at the same time. But some will say t= his is a bad idea. I used IPFW for captive portal, bandwidth mgmt and any other Layer 2 filtering purposes and PF for general firewalling proccess like blo= ck, NAT, route-to. #212331 this bug references same error but based on FreeBSD 10.3 My problem: when i applied both captive portal and PBR rule on igb1. IPFW fwd cannot redirect unauthenticated users to portal page. I think the packets that fir= st hit PF route-to are sent directly to the output interface. So that traffic = not hit to IPFW. So i tried to use newly implemented "pfilctl" tool to change PF,IPFW hook order and I tried every combination but with no luck. I am awaiting your kind responses // FreeBSD's Default PF first in hook order # pfilctl heads Intercept point Type inet6 IPv6 In pf default-in6 In ipfw default6 Out ipfw default6 Out pf default-out6 inet IPv4 In pf default-in In ipfw default Out ipfw default Out pf default-out ethernet Ethernet In ipfw default-link Out ipfw default-link // My IPFW first in settings pfilctl unlink -ia ipfw:default inet pfilctl unlink -oa ipfw:default inet pfilctl unlink -ia pf:default-in inet pfilctl unlink -oa pf:default-out inet // i tried every combination on linking pfilctl link -ia ipfw:default inet pfilctl link -ia pf:default-in inet pfilctl link -oa pf:default-out inet pfilctl link -oa ipfw:default inet Intercept point Type inet6 IPv6 In pf default-in6 In ipfw default6 Out ipfw default6 Out pf default-out6 inet IPv4 In ipfw default In pf default-in Out ipfw default Out pf default-out ethernet Ethernet In ipfw default-link Out ipfw default-link // ROUTE-TO RULE=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20 pass in log quick on { igb1 } route-to { ( igb0 192.168.30.1 ) } inet = from { any } to { any } --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-272094-16861>