From owner-freebsd-net@freebsd.org  Sun Aug 18 12:15:31 2019
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B823DC5F24
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Sun, 18 Aug 2019 12:15:31 +0000 (UTC)
 (envelope-from andywhite@gmail.com)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com
 [IPv6:2607:f8b0:4864:20::d31])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46BGGq4Rp5z4TWQ;
 Sun, 18 Aug 2019 12:15:31 +0000 (UTC)
 (envelope-from andywhite@gmail.com)
Received: by mail-io1-xd31.google.com with SMTP id s21so15140923ioa.1;
 Sun, 18 Aug 2019 05:15:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=UaAN1Z4Jo8lt4rfVmsVE32yQWbHGLpQGgYf9XbnCaiA=;
 b=ks14MimoSGOV2tL343FqhIUqodHQFEoOjGxhct0LHcQ1kkYPpRRK8yJCHQI+Iq49Fk
 kQZAzN5i52qGFjZ5022FXXGYAkw4d6suhLl8z2Vp1YndMBszcxRlekv7vPz6CG9jiYyx
 Mh4VH0mU408XELl1xX81dEkr7MvykLGKIq6j7hyJF2DSuUApoRBovF23BnYQDX42o8nX
 P9Zn2yLsJFIAvYiFVw9YvtuueK0eaYiFatvBUiiPvafJCRnuE8wH5iakyC0SSD4eY92w
 ARiYxIyTqBb/Z3rqVbsXB6tiEdP/ZzKJR6Eu1K/4GXYB8a6HrSCjIXxqoXoKimItUnWe
 qK3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=UaAN1Z4Jo8lt4rfVmsVE32yQWbHGLpQGgYf9XbnCaiA=;
 b=cjrtZ4jZT62ZSKxkIFb/ztR67RVJe1H1hQ806hll4ob84PFlIFQYctE55vLs94hEoQ
 1TrkCBGKXepPcvYdJnyZw8yhOVIRRwNnDSBvTW1a1PbOHpUMwTPhzU0TFL/xDMn4rBwg
 qxG619t5f63IffUbFv06BVmb0fFbh/c4Q9KbNDMufEciZHn92fXqaSynqohsT0XDqRdP
 l8mu5vTJ0E078puk+XCxeiPVzGqAUcioxyzhjy91drS+h2vnizRVufFchBszFDiRxmTY
 kUIujZposeCpDbJ3RvUUASH/u/8CyYWSpg0M3lNJZmG2zAgvOrk55chhOqOGiGgCr7aR
 AWAg==
X-Gm-Message-State: APjAAAVJI/FigH6oQNhmQUIO7NVfkROHlsBrxKzJjwRn0ICEmFx1qxc3
 hCmL/6NPhffrCIMOIZ7TDY85fXYI132DCoylsv7KLXsSzoo=
X-Google-Smtp-Source: APXvYqwRheb0a4nDdm23XZ9Gu1D+7TDv38n78R13C+KsboR3j/r8Zmxi6PEGfMEnJbzUyctxwiVJ4vM1A/kj+BoV/Xs=
X-Received: by 2002:a02:a518:: with SMTP id e24mr12989676jam.44.1566130529930; 
 Sun, 18 Aug 2019 05:15:29 -0700 (PDT)
MIME-Version: 1.0
References: <CAOZMOUFfzoVj2mtOHcQRpkrjU+02-kik+Nt7m0_oELUW=H=RXg@mail.gmail.com>
 <20190817215151.GA8888@vega.codepro.be>
In-Reply-To: <20190817215151.GA8888@vega.codepro.be>
From: Andrew White <andywhite@gmail.com>
Date: Sun, 18 Aug 2019 13:15:17 +0100
Message-ID: <CAOZMOUG=d5GQEEJGR7-3Z0Sy8iSd5-QpLLRmGWUaSQR4wm5pfg@mail.gmail.com>
Subject: Re: pf (rules and nat) + (ipfw + dummynet)
To: Kristof Provost <kp@freebsd.org>
Cc: freebsd-net@freebsd.org
X-Rspamd-Queue-Id: 46BGGq4Rp5z4TWQ
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-6.99 / 15.00];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 NEURAL_HAM_SHORT(-0.99)[-0.989,0];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Aug 2019 12:15:31 -0000

On Sat, Aug 17, 2019 at 10:51 PM Kristof Provost <kp@freebsd.org> wrote:

> On 2019-08-17 22:25:44 (+0100), Andrew White <andywhite@gmail.com> wrote:
> > Using 11.3 , I've been trying to configure pf with dummynet.  Having ipfw
> > reply traffic sent into a dummynet pipe causes pf to reject the traffic.
> >
> > Searching around and looking at ip_input.c it looks like dummynet
> reinjects
> > the packet back into input and this is what causes the problem , I'm
> > guessing the checksum changes.
> >
> I would expect both firewalls to leave the packets with correct
> checksums, but I have to add the disclaimer that I do not consider
> mixing firewalls to be a supported use case. I can think of several
> things (IPv6 fragment handling, route-to at least) where combining pf
> with another firewall is very likely to break.
>
> I agree, mixing firewalls carrys risks, but afaik the only current way to
use pf with dummynet in freebsd is to mix with ipfw. my use case is simple
and would only cover basic permits to route into dummynet, so I would hope
some of the edgecases around frags etc wouldn't apply.

A sample patch (that doesn't appear to work for me)  is
https://github.com/opnsense/src/commit/7514cc670601b566f30e0386ef8885660a27aa5a#diff-f038606be7fc68e05878b9cdbb32e21f

I'll debug a bit more and find/write/modify a patch to see if I can address
it.


> I agree, mixing firewalls carrys risks, but afaik the only current way to
> use pf with dummynet is to mix with ipfw
>
> Regards,
> Kristof
>