Date: Mon, 2 Aug 2021 21:12:18 +0200 From: Andreas Longwitz <longwitz@incore.de> To: freebsd-ipfw@freebsd.org Subject: Re: How to Force Packet Traversal Order (IPFW2 => PF) Message-ID: <8c98b127-3241-4d3f-378b-10c03595ab8a@incore.de>
next in thread | raw e-mail | index | archive | help
If both pf and ipfw2 are active firewalls then I change their sequence with
pfctl -d; pfctl -e
to set pf in the first place or with
sysctl net.inet.ip.fw.enable=0; sysctl net.inet.ip.fw.enable=1
to set ipfw2 in the first place.
To check for the actual sequence I use a hack with the help of the
kernel debugger:
echo -n "Sequence of firewall functions for incoming pakets: "
cat > .gdbinit << EOF
p *(*pfil_head_list->lh_first)->ph_in->tqh_first
p *(*(*pfil_head_list->lh_first)->ph_in->tqh_first)->pfil_chain->tqe_next
quit
EOF
kernel=$(sysctl -n kern.bootfile)
test -f ${kernel} || kernel="/boot/kernel/kernel"
{ kgdb ${kernel} /dev/mem } 2>/dev/null | \
{ grep pfil_func | sed -e 's/.*<\(.*\)>.*/ \1/' | xargs echo; }
rm .gdbinit
It would be fine to have a sysctl variable to get this indormation.
Andreas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8c98b127-3241-4d3f-378b-10c03595ab8a>