On 2019-08-17 22:25:44 (+0100), Andrew White <andywh...@gmail.com> wrote: > Using 11.3 , I've been trying to configure pf with dummynet. Having ipfw > reply traffic sent into a dummynet pipe causes pf to reject the traffic. > > Searching around and looking at ip_input.c it looks like dummynet reinjects > the packet back into input and this is what causes the problem , I'm > guessing the checksum changes. > I would expect both firewalls to leave the packets with correct checksums, but I have to add the disclaimer that I do not consider mixing firewalls to be a supported use case. I can think of several things (IPv6 fragment handling, route-to at least) where combining pf with another firewall is very likely to break.
> Is this a known behaviour and are there functioning patches ? I see > projects like opnsense and pfsense have patches for ip_input.c to skip some > of the code if it's a reinjected packet from dummynet > > I also see some work underway to separate dummynet from ipfw, is there any > docs for the goals or timelines, will this allow dummynet anchors and use > of dnctl to use pf with dummynet like in macos ? > This work was started by a prospective gsoc student, but they were not selected, and I have not seen any big patches come out of it. It's not on my own todo list. Regards, Kristof _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
