From owner-freebsd-pf@FreeBSD.ORG  Fri Jan  6 15:13:06 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0106C106566B
	for <freebsd-pf@freebsd.org>; Fri,  6 Jan 2012 15:13:06 +0000 (UTC)
	(envelope-from dhartmei@insomnia.benzedrine.cx)
Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch
	[213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 253BF8FC12
	for <freebsd-pf@freebsd.org>; Fri,  6 Jan 2012 15:13:03 +0000 (UTC)
Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1])
	by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id q06FD1Y0004887
	(version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO);
	Fri, 6 Jan 2012 16:13:02 +0100 (MET)
Received: (from dhartmei@localhost)
	by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id q06FD0Gm020624;
	Fri, 6 Jan 2012 16:13:00 +0100 (MET)
Date: Fri, 6 Jan 2012 16:13:00 +0100
From: Daniel Hartmeier <daniel@benzedrine.cx>
To: Gerald McNulty <gmnt99@gmail.com>
Message-ID: <20120106151300.GB24312@insomnia.benzedrine.cx>
References: <CAD+_bPy94dRyzfQDEnzXB+sffVnO6AhTMOidJwHPSO+=tkYBFQ@mail.gmail.com>
	<20120106074225.GA24312@insomnia.benzedrine.cx>
	<CAD+_bPzGMEv77XS4bNUjE18Mrf4mLe6S1b43mKF6PkXzJxR6dg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAD+_bPzGMEv77XS4bNUjE18Mrf4mLe6S1b43mKF6PkXzJxR6dg@mail.gmail.com>
User-Agent: Mutt/1.5.12-2006-07-14
Cc: freebsd-pf@freebsd.org
Subject: Re: Basic transparent filtering with pf
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2012 15:13:06 -0000

On Fri, Jan 06, 2012 at 02:21:07PM +0000, Gerald McNulty wrote:

> I don't understand how rerouting the the loopback address would solve this.
> There are 2 steps here - first the TCP handshake needs to be completed and
> then the kernel/pf needs to pass the packets to the correct socket. How is
> this supposed to work in pf? Or is this hidden/implicit in certain rule
> definitions?

After looking at ip_input.c and searching for M_FASTFWD_OURS,
I think this only works with ipfw.

Forwarding to loopback and the uid lookup are just what triggers it in
ipfw, pf never sets that mbuf tag.

You can use pf and ipfw both at the same time, but for IP_BINDANY to do
anything useful, you need that magic ipfw rule, to mark replies as
belonging to a local socket (even though the destination address is
non-local).

Daniel