Hi, I am currently in the process of translating the iptables/ip6tables + ip invocations in an C application to ipf/ipfw + route, to support systems with that. Before you ask, special case scenario, it has to be done this way, pf/npf seems to be no option. I am not 100% convinced that npf is not an option, but at this stage of code reading I want to try and replicate it with ipf/ipfw + route. The part of the application this is part of serves as an dns query interceptor, a full rewrite as a dns server is a future task.
question 1: pf knows about user <user>. what about ipf? question 2: How do you exclude link-local traffic in ipf? (see appended file for the iptables example I refer to) question 3: Can a person who knows more about Firewalls than I do explain to me what this would be in ipf and ipfw?: iptables: table 'mangle' is for packet alteration, OUTPUT: for altering locally-generated packages before routing code in question, without my local work: https://git.gnunet.org/gnunet.git/tree/src/dns/gnunet-helper-dns.c Appended is a copy of my translation process and the original iptables/ip invocations (didn't achieve that much so far due to lack of time for reading). Thanks!
We must check in the C code that we are on BSD when we use the route command. We must check that ipf / ipfw is enabled. When ipf gets no -6 passed, the rule is applied for both ipv6 and ipv4. pf knows about user <user>. what about ipf? How to exclude link-local traffic in ipf? iptables: table 'mangle' is for packet alteration, OUTPUT: for altering locally-generated packages before routing ----------------------------------------------------------------------- // update routing tables // forward everything from out EGID (which should only be held by the // gnunet-service-dns) and with destination to port 53 on UDP, without // hijacking iptables -m owner -t mangle -I OUTPUT 1 -p udp --gid-owner mygid --dport DNS_PORT -j ACCEPT ip6tables -m owner -t mangle -I OUTPUT 1 -p udp --gid-owner mygid --dport DNS_PORT -j ACCEPT echo "pass out proto udp from any port = DNS_PORT" | ipf -f - // mark all of the other dns traffic using our mark DNS_MARK, unless // it is on a link-local IPv6 address, which we can not support. iptables -t mangle -I OUTPUT 2 -p udp --dport DNS_PORT -j MARK --set-mark DNS_MARK // ! -s fe80::/10 excludes link-local traffic ip6tables -t mangle -I OUTPUT 2 -p udp --dport DNS_PORT ! -s fe80::/10 -j MARK --set-mark DNS_MARK echo "pass out proto udp from any port = DNS_PORT set-tag(nat=DNS_MARK)" | ipf -f - echo " " | ipf -6 -f - // forward all marked dns traffic to our DNS_TABLE ip rule add fwmark DNS_MARK table DNS_TABLE ip -6 rule add fwmark DNS_MARK table DNS_TABLE route route // finally add rule in our forwarding table to pass to our virtual interface ip route add default dev dev table DNS_TABLE ip -6 route add default dev dev table DNS_TABLE route add default dev // update routing tables again // now undo updating of routing tables, normal exit or clean-up-on-error case // cleanup_route_4: ip -6 route del default dev dev table DNS_TABLE // cleanup_route_4b: ip route del default dev dev table DNS_TABLE // cleanup_forward_3: ip -6 rule del fwmark DNS_MARK table DNS_TABLE // cleanup_forward_3b: ip rule del fwmark DNS_MARK table DNS_TABLE // cleanup_mark_2: ip6tables -t mangle -D OUTPUT -p udp --dport DNS_PORT ! -s fe80::/10 -j MARK --set-mark DNS_MARK echo " " | ipf -6 -f - // cleanup_mark_2b: iptables -t mangle -D OUTPUT -p udp --dport DNS_PORT -j MARK --set-mark DNS_MARK echo " " | ipf -f - // cleanup_mangle_1: ip6tables -m owner -t mangle -D OUTPUT -p udp --gid-owner mygid --dport DNS_PORT -j ACCEPT echo " " | ipf -6 -f - // cleanup_mangle_1b: iptables -m owner -t mangle -D OUTPUT -p udp --gid-owner mygid --dport DNS_PORT -j ACCEPT echo " " | ipf -f -
