From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 5 01:22:20 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5A77516A47C for ; Tue, 5 Dec 2006 01:22:20 +0000 (UTC) (envelope-from cristi@net.utcluj.ro) Received: from bavaria.utcluj.ro (bavaria.utcluj.ro [193.226.5.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F90A43CA2 for ; Tue, 5 Dec 2006 01:21:42 +0000 (GMT) (envelope-from cristi@net.utcluj.ro) Received: from localhost (localhost [127.0.0.1]) by bavaria.utcluj.ro (Postfix) with ESMTP id 2C2437F23E for ; Tue, 5 Dec 2006 03:22:17 +0200 (EET) X-Virus-Scanned: by the daemon playing with your mail on bavaria.utcluj.ro Received: from bavaria.utcluj.ro ([127.0.0.1]) by localhost (bavaria.utcluj.ro [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JwwFcFmh4tQo for ; Tue, 5 Dec 2006 03:22:16 +0200 (EET) Received: from [172.27.2.200] (c7.campus.utcluj.ro [193.226.6.226]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by bavaria.utcluj.ro (Postfix) with ESMTP id DC2457F340 for ; Tue, 5 Dec 2006 03:22:15 +0200 (EET) Message-ID: <4574C9C7.3030807@net.utcluj.ro> Date: Tue, 05 Dec 2006 03:22:15 +0200 From: Cristian KLEIN Organization: Data Communication Center - Technical University of Cluj-Napoca User-Agent: Icedove 1.5.0.7 (X11/20061013) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: IPFW + dummynet + other firewall X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2006 01:22:20 -0000 Hello everybody, I sure hope this is relevant for the list. I have been using IPFW and PF in FreeBSD 5.4 for some time, because I like PF's NAT and ftp-proxy, but I can't live without pipes. While giving me joy, this combination also results in some strange behaviour. In the default configuration (i.e. firewall_enable and pf_enable="YES" in rc.conf) ipfw loads first and pf last, which has the great advantage of seeing untranslated packets in ipfw. When combining ipfw + dummynet + pf, some strange behaviour occurs, due to the fact that dummynet reinjects the packets into ip_input(). The path of incomming packets looks like this: wire -> pf -> ipfw -> dummynet -> pf -> ipfw -> kernel. 1) rdr rules to localhost (required for ftp-proxy etc.) which go through pipes fail, because ip_input() drops 127/8. 2) pass log rules make packets appear twice on pflog. Other issues may exist. I believe that the single solution would be something like in the pre-PFIL times, when ip_input() contained a jump directly to ipfw, and the packet was processed from where it left. However, this is pretty hard to implement in PFIL. Any ideas?