From owner-freebsd-net@FreeBSD.ORG Sat Jul 8 13:57:18 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EDA9C16A4DF for ; Sat, 8 Jul 2006 13:57:18 +0000 (UTC) (envelope-from andre.netvision.com.br@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2674D43D46 for ; Sat, 8 Jul 2006 13:57:15 +0000 (GMT) (envelope-from andre.netvision.com.br@gmail.com) Received: by ug-out-1314.google.com with SMTP id m3so1083771uge for ; Sat, 08 Jul 2006 06:57:15 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=NJ5JSDoVR8dFb8WE5me0XaGoW5T0wybBBsbtjtQq6WNoSj0EBgOGSkevCUZsK7h9z3QtzM8tLgFki2zchBUjao79mT+VjBz8aS2IP+FZ34Xd+anB+helZtMojveMEopvjKucylojCdbBWWxTSqYSjK4T2x4lUA02QWHTi774nTM= Received: by 10.78.122.11 with SMTP id u11mr1107687huc; Sat, 08 Jul 2006 06:57:14 -0700 (PDT) Received: by 10.78.19.10 with HTTP; Sat, 8 Jul 2006 06:57:14 -0700 (PDT) Message-ID: Date: Sat, 8 Jul 2006 10:57:14 -0300 From: "Andre Santos" To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Incompatibility between dummynet and PF rdr. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jul 2006 13:57:19 -0000 Are there any known compatibility problems between dummynet and PF rdr rules? When I try to combine both, the packets seem to simply disappear. Here's how to reproduce it on 6.1-RELEASE: Load PF. TCP connections coming in on lnc1 will be redirected to the local SSH server. kldload pf pfctl -e echo "rdr on lnc1 proto tcp -> 127.0.0.1 port 22" \ | pfctl -f - Add dummynet: kldload ipfw; ipfw add 65000 allow ip from any to any kldload dummynet ipfw pipe 1 config mask all ipfw add 1 pipe 1 ip from any to any Up to this point, everything works well, but here's where it breaks. After disabling and re enabling PF, the only packets on this system are SYNs coming in on lnc1, all other interfaces are quiet (lo0, lnc0). pfctl -d pfctl -e PF rules are still in place, dummynet gets the SYN packets, but then they go somewhere where I can't find them. tcpdump on lnc1 shows only the SYN packets coming in, all other interfaces are quiet. Could somebody please help me find these lost packets? Thank you! If you invert the order and load ipfw/dummynet before PF, the disabling and re enabling step is not even necessary. The ftp-proxy in OpenBSD >= 3.9 creates rules that don't need the disabling and re enabling step to fail. Both active and passive data connections don't work. # ipfw show 00001 401 36224 pipe 1 ip from any to any 65000 0 0 allow ip from any to any 65535 0 0 deny ip from any to any # pfctl -vsn [ ... no ALTQ support ... ] rdr on lnc1 inet proto tcp all -> 127.0.0.1 port 22 [ Evaluations: 779 Packets: 85 Bytes: 5013 States: 0 ] On systems that have ethernet interfaces only, I can work around the problem by running: # sysctl -w net.inet.ip.fw.enable=0 # sysctl -w net.link.ether.ipfw=1