Date: Sun, 18 Aug 2019 13:15:17 +0100 From: Andrew White <andywhite@gmail.com> To: Kristof Provost <kp@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: pf (rules and nat) + (ipfw + dummynet) Message-ID: <CAOZMOUG=d5GQEEJGR7-3Z0Sy8iSd5-QpLLRmGWUaSQR4wm5pfg@mail.gmail.com> In-Reply-To: <20190817215151.GA8888@vega.codepro.be> References: <CAOZMOUFfzoVj2mtOHcQRpkrjU%2B02-kik%2BNt7m0_oELUW=H=RXg@mail.gmail.com> <20190817215151.GA8888@vega.codepro.be>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Aug 17, 2019 at 10:51 PM Kristof Provost <kp@freebsd.org> wrote: > On 2019-08-17 22:25:44 (+0100), Andrew White <andywhite@gmail.com> wrote: > > Using 11.3 , I've been trying to configure pf with dummynet. Having ipfw > > reply traffic sent into a dummynet pipe causes pf to reject the traffic. > > > > Searching around and looking at ip_input.c it looks like dummynet > reinjects > > the packet back into input and this is what causes the problem , I'm > > guessing the checksum changes. > > > I would expect both firewalls to leave the packets with correct > checksums, but I have to add the disclaimer that I do not consider > mixing firewalls to be a supported use case. I can think of several > things (IPv6 fragment handling, route-to at least) where combining pf > with another firewall is very likely to break. > > I agree, mixing firewalls carrys risks, but afaik the only current way to use pf with dummynet in freebsd is to mix with ipfw. my use case is simple and would only cover basic permits to route into dummynet, so I would hope some of the edgecases around frags etc wouldn't apply. A sample patch (that doesn't appear to work for me) is https://github.com/opnsense/src/commit/7514cc670601b566f30e0386ef8885660a27aa5a#diff-f038606be7fc68e05878b9cdbb32e21f I'll debug a bit more and find/write/modify a patch to see if I can address it. > I agree, mixing firewalls carrys risks, but afaik the only current way to > use pf with dummynet is to mix with ipfw > > Regards, > Kristof >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOZMOUG=d5GQEEJGR7-3Z0Sy8iSd5-QpLLRmGWUaSQR4wm5pfg>