Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 02 Sep 2016 12:30:02 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-i386@FreeBSD.org
Subject:   [Bug 212331] pfil processing order
Message-ID:  <bug-212331-10@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D212331

            Bug ID: 212331
           Summary: pfil processing order
           Product: Base System
           Version: 10.3-STABLE
          Hardware: i386
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: srijan.nandi@gmail.com
                CC: freebsd-i386@FreeBSD.org
                CC: freebsd-i386@FreeBSD.org

Created attachment 174315
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D174315&action=
=3Dedit
Packet Capture

Hello Everyone,

I am running FreeBSD 10.3-RELEASE-p7.

The setup that I have is, that I have 2 WAN interfaces and 1 LAN interface.=
 I
have configure both IPFW (for Traffic Shaping and Captive Portal) and PF for
all other filtering and nat rules.

em0 - LAN
em1 - WAN1
em2 - WAN2

My scenario is that as soon as a connection is made to a website, IPFW catc=
hes
this port 80 traffic and redirects it to a Captive Portal listening on port
9000 and then after authentication is successful via Captive Portal, the
traffic is then passed onto PF for further processing.

Here are the relevant IPFW rules:
1. For Captive Portal
[code]
add 5000 fwd 127.0.0.1,8000 tcp from any to any dst-port 443 in via em0
add 5000 allow ip from any to any dst-port 443 via em0
add 5000 fwd 127.0.0.1,9000 tcp from any to any dst-port 80 in via em0
add 5000 allow ip from any to any dst-port 80 via em0
[/code]
2. Allow authenticated traffic to PF
[code]
add 65533 pass ip from any to any
[/code]
PF upon receiving these packets makes a connection to the website and it op=
ens
up.

As can be see from the rule below:
[code]
pass in quick on em0 inet from 172.16.1.0/24 to any flags S/SA keep state
[/code]
Everything works pretty well.

However, as soon as I apply a route-to rule in PF, the processing order bre=
aks.
So now, no longer does IPFW get the port 80 traffic to be redirected to port
9000. It simply passes it outside.

PF rule with rout-to set:
[code]
pass in quick on em0 route-to (pppoe0 X.X.X.X) inet from 172.16.1.0/24 to a=
ny
flags S/SA keep state.
[/code]
I require the processing to be such that for incoming traffic, IPFW should
process the packets first and then pass it on to PF. This works when route-=
to
is not set.

Attached is a tcpdump, explaining the same.

Any help will be highly appreciated. I have been banging my head around this
issue for days.

--=20
You are receiving this mail because:
You are on the CC list for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-212331-10>