ipf questions

[Nikita Ronja Gillmann <nikita%klang.is@localhost>]

Hi,

I am currently in the process of translating the iptables/ip6tables +
ip invocations in an C application to ipf/ipfw + route, to support
systems with that. Before you ask, special case scenario, it has to
be done this way, pf/npf seems to be no option.
I am not 100% convinced that npf is not an option, but at this
stage of code reading I want to try and replicate it with ipf/ipfw + route.
The part of the application this is part of serves as an dns query
interceptor, a full rewrite as a dns server is a future task.

question 1: pf knows about user <user>. what about ipf?

question 2: How do you exclude link-local traffic in ipf? (see
appended file for the iptables example I refer to)

question 3: Can a person who knows more about Firewalls than I do
explain to me what this would be in ipf and ipfw?:

iptables: table 'mangle' is for packet alteration,
OUTPUT: for altering locally-generated packages before routing

code in question, without my local work:
https://git.gnunet.org/gnunet.git/tree/src/dns/gnunet-helper-dns.c

Appended is a copy of my translation process and the original iptables/ip
invocations (didn't achieve that much so far due to lack of time for reading).

Thanks!

We must check in the C code that we are on BSD when we use
the route command.
We must check that ipf / ipfw is enabled.

When ipf gets no -6 passed, the rule is applied for both ipv6 and ipv4.
pf knows about user <user>. what about ipf?
How to exclude link-local traffic in ipf?

iptables:
table 'mangle' is for packet alteration,
OUTPUT: for altering locally-generated packages before routing
-----------------------------------------------------------------------
// update routing tables
// forward everything from out EGID (which should only be held by the
// gnunet-service-dns) and with destination to port 53 on UDP, without
// hijacking
iptables -m owner -t mangle -I OUTPUT 1 -p udp --gid-owner mygid --dport DNS_PORT -j ACCEPT
ip6tables -m owner -t mangle -I OUTPUT 1 -p udp --gid-owner mygid --dport DNS_PORT -j ACCEPT
echo "pass out proto udp from any port = DNS_PORT" | ipf -f -

// mark all of the other dns traffic using our mark DNS_MARK, unless
// it is on a link-local IPv6 address, which we can not support.
iptables -t mangle -I OUTPUT 2 -p udp --dport DNS_PORT -j MARK --set-mark DNS_MARK
// ! -s fe80::/10 excludes link-local traffic
ip6tables -t mangle -I OUTPUT 2 -p udp --dport DNS_PORT ! -s fe80::/10 -j MARK --set-mark DNS_MARK
echo "pass out proto udp from any port = DNS_PORT set-tag(nat=DNS_MARK)" | ipf -f -
echo " " | ipf -6 -f -

// forward all marked dns traffic to our DNS_TABLE
ip rule add fwmark DNS_MARK table DNS_TABLE
ip -6 rule add fwmark DNS_MARK table DNS_TABLE
route
route 

// finally add rule in our forwarding table to pass to our virtual interface
ip route add default dev dev table DNS_TABLE
ip -6 route add default dev dev table DNS_TABLE
route add default dev

// update routing tables again
// now undo updating of routing tables, normal exit or clean-up-on-error case

// cleanup_route_4:
ip -6 route del default dev dev table DNS_TABLE

// cleanup_route_4b:
ip route del default dev dev table DNS_TABLE

// cleanup_forward_3:
ip -6 rule del fwmark DNS_MARK table DNS_TABLE

// cleanup_forward_3b:
ip rule del fwmark DNS_MARK table DNS_TABLE

// cleanup_mark_2:
ip6tables -t mangle -D OUTPUT -p udp --dport DNS_PORT ! -s fe80::/10 -j MARK --set-mark DNS_MARK
echo " " | ipf -6 -f -

// cleanup_mark_2b:
iptables -t mangle -D OUTPUT -p udp --dport DNS_PORT -j MARK --set-mark DNS_MARK
echo " " | ipf -f -

// cleanup_mangle_1:
ip6tables -m owner -t mangle -D OUTPUT -p udp --gid-owner mygid --dport DNS_PORT -j ACCEPT
echo " " | ipf -6 -f -

// cleanup_mangle_1b:
iptables -m owner -t mangle -D OUTPUT -p udp --gid-owner mygid --dport DNS_PORT -j ACCEPT
echo " " | ipf -f -