Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 2 Aug 2021 21:12:18 +0200
From:      Andreas Longwitz <longwitz@incore.de>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: How to Force Packet Traversal Order (IPFW2 => PF)
Message-ID:  <8c98b127-3241-4d3f-378b-10c03595ab8a@incore.de>

next in thread | raw e-mail | index | archive | help
If both pf and ipfw2 are active firewalls then I change their sequence with
   pfctl -d; pfctl -e
to set pf in the first place or with
   sysctl net.inet.ip.fw.enable=0; sysctl net.inet.ip.fw.enable=1
to set ipfw2 in the first place.

To check for the actual sequence I use a hack with the help of the
kernel debugger:

   echo -n "Sequence of firewall functions for incoming pakets: "
cat > .gdbinit << EOF
p *(*pfil_head_list->lh_first)->ph_in->tqh_first
p *(*(*pfil_head_list->lh_first)->ph_in->tqh_first)->pfil_chain->tqe_next
quit
EOF
   kernel=$(sysctl -n kern.bootfile)
   test -f ${kernel} || kernel="/boot/kernel/kernel"
   { kgdb ${kernel} /dev/mem } 2>/dev/null | \
   { grep pfil_func | sed -e 's/.*<\(.*\)>.*/     \1/' | xargs echo; }
   rm .gdbinit

It would be fine to have a sysctl variable to get this indormation.

Andreas




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8c98b127-3241-4d3f-378b-10c03595ab8a>