Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 8 Jul 2006 10:57:14 -0300
From:      "Andre Santos" <andre.netvision.com.br@gmail.com>
To:        freebsd-net@freebsd.org
Subject:   Incompatibility between dummynet and PF rdr.
Message-ID:  <efb1abb0607080657o3f1959b7v96626c8869c4d714@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
Are there any known compatibility problems between dummynet and PF rdr rules?
When I try to combine both, the packets seem to simply disappear.
Here's how to reproduce it on 6.1-RELEASE:

Load PF.
TCP connections coming in on lnc1 will be redirected to the local SSH server.

kldload pf
pfctl -e
echo "rdr on lnc1 proto tcp -> 127.0.0.1 port 22" \
   | pfctl -f -

Add dummynet:

kldload ipfw; ipfw add 65000 allow ip from any to any
kldload dummynet
ipfw pipe 1 config mask all
ipfw add 1 pipe 1 ip from any to any

Up to this point, everything works well, but here's where it breaks.
After disabling and re enabling PF, the only packets on this system
are SYNs coming in on lnc1, all other interfaces are quiet (lo0,
lnc0).

pfctl -d
pfctl -e

PF rules are still in place, dummynet gets the SYN packets, but then
they go somewhere where I can't find them. tcpdump on lnc1 shows only
the SYN packets coming in, all other interfaces are quiet.

Could somebody please help me find these lost packets?

Thank you!

If you invert the order and load ipfw/dummynet before PF, the
disabling and re enabling step is not even necessary.

The ftp-proxy in OpenBSD >= 3.9 creates rules that don't need the
disabling and re enabling step to fail. Both active and passive data
connections don't work.

# ipfw show
00001 401 36224 pipe 1 ip from any to any
65000   0     0 allow ip from any to any
65535   0     0 deny ip from any to any

# pfctl -vsn
[ ... no ALTQ support ... ]
rdr on lnc1 inet proto tcp all -> 127.0.0.1 port 22
  [ Evaluations: 779       Packets: 85        Bytes: 5013        States: 0 ]

On systems that have ethernet interfaces only, I can work around the
problem by running:
# sysctl -w net.inet.ip.fw.enable=0
# sysctl -w net.link.ether.ipfw=1

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?efb1abb0607080657o3f1959b7v96626c8869c4d714>