Date: Sat, 17 Aug 2019 23:51:51 +0200 From: Kristof Provost <kp@freebsd.org> To: Andrew White <andywhite@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: pf (rules and nat) + (ipfw + dummynet) Message-ID: <20190817215151.GA8888@vega.codepro.be> In-Reply-To: <CAOZMOUFfzoVj2mtOHcQRpkrjU%2B02-kik%2BNt7m0_oELUW=H=RXg@mail.gmail.com> References: <CAOZMOUFfzoVj2mtOHcQRpkrjU%2B02-kik%2BNt7m0_oELUW=H=RXg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2019-08-17 22:25:44 (+0100), Andrew White <andywhite@gmail.com> wrote: > Using 11.3 , I've been trying to configure pf with dummynet. Having ipfw > reply traffic sent into a dummynet pipe causes pf to reject the traffic. > > Searching around and looking at ip_input.c it looks like dummynet reinjects > the packet back into input and this is what causes the problem , I'm > guessing the checksum changes. > I would expect both firewalls to leave the packets with correct checksums, but I have to add the disclaimer that I do not consider mixing firewalls to be a supported use case. I can think of several things (IPv6 fragment handling, route-to at least) where combining pf with another firewall is very likely to break. > Is this a known behaviour and are there functioning patches ? I see > projects like opnsense and pfsense have patches for ip_input.c to skip some > of the code if it's a reinjected packet from dummynet > > I also see some work underway to separate dummynet from ipfw, is there any > docs for the goals or timelines, will this allow dummynet anchors and use > of dnctl to use pf with dummynet like in macos ? > This work was started by a prospective gsoc student, but they were not selected, and I have not seen any big patches come out of it. It's not on my own todo list. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190817215151.GA8888>