Date: Fri, 02 Sep 2016 12:30:02 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-i386@FreeBSD.org Subject: [Bug 212331] pfil processing order Message-ID: <bug-212331-10@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D212331 Bug ID: 212331 Summary: pfil processing order Product: Base System Version: 10.3-STABLE Hardware: i386 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: srijan.nandi@gmail.com CC: freebsd-i386@FreeBSD.org CC: freebsd-i386@FreeBSD.org Created attachment 174315 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D174315&action= =3Dedit Packet Capture Hello Everyone, I am running FreeBSD 10.3-RELEASE-p7. The setup that I have is, that I have 2 WAN interfaces and 1 LAN interface.= I have configure both IPFW (for Traffic Shaping and Captive Portal) and PF for all other filtering and nat rules. em0 - LAN em1 - WAN1 em2 - WAN2 My scenario is that as soon as a connection is made to a website, IPFW catc= hes this port 80 traffic and redirects it to a Captive Portal listening on port 9000 and then after authentication is successful via Captive Portal, the traffic is then passed onto PF for further processing. Here are the relevant IPFW rules: 1. For Captive Portal [code] add 5000 fwd 127.0.0.1,8000 tcp from any to any dst-port 443 in via em0 add 5000 allow ip from any to any dst-port 443 via em0 add 5000 fwd 127.0.0.1,9000 tcp from any to any dst-port 80 in via em0 add 5000 allow ip from any to any dst-port 80 via em0 [/code] 2. Allow authenticated traffic to PF [code] add 65533 pass ip from any to any [/code] PF upon receiving these packets makes a connection to the website and it op= ens up. As can be see from the rule below: [code] pass in quick on em0 inet from 172.16.1.0/24 to any flags S/SA keep state [/code] Everything works pretty well. However, as soon as I apply a route-to rule in PF, the processing order bre= aks. So now, no longer does IPFW get the port 80 traffic to be redirected to port 9000. It simply passes it outside. PF rule with rout-to set: [code] pass in quick on em0 route-to (pppoe0 X.X.X.X) inet from 172.16.1.0/24 to a= ny flags S/SA keep state. [/code] I require the processing to be such that for incoming traffic, IPFW should process the packets first and then pass it on to PF. This works when route-= to is not set. Attached is a tcpdump, explaining the same. Any help will be highly appreciated. I have been banging my head around this issue for days. --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-212331-10>