Re: How to Force Packet Traversal Order (IPFW2 => PF)

From: Martin Beran <martin_at_mber.cz>
Date: Sat, 31 Jul 2021 22:19:53 UTC
pá 30. 7. 2021 v 13:41 odesílatel alfadev via freebsd-ipfw <
freebsd-ipfw@freebsd.org> napsal:


> Hi,
> I have to use both IPFW and PF sametime in my freebsd 12.2 gateway
>
> According to my observations firewalls are following this order all of my
> scenarios PF => IPFW2. I see this exactly When i use PF's route-to option .
> When i create Load-Balancing rule using PF's route-to, packets not entering
> into IPFW. So when i made PBR, IPFW rules like mac based piping, bandwidth,
> captive portal etc. does not works.
> So that
> i am trying to do this order:
> input => ipfw => pf
>
> but i think i cannot change this order without touching kernel level .
> when i made some research i found [this](
> https://www.opennet.ru/tips/info/1431.shtml)
> https://www.opennet.ru/tips/info/1431.shtml
>

I think that you do not need to touch kernel source, nor build a custom
kernel. The order of calling packet filtering modules depends on the order
of registering the modules to packet processing hooks. Instead of loading
the modules by their respective startup scripts, you can load them in the
required order by including them in /etc/rc.conf in variable kld_list. I do
not remember if the order of calling is the same or the opposite of the
order of module loading.

Martin Beran