Net.inet.ip.pfil.* pf ipfw order

  • I understand pfsense has improved stock FreeBSD by adding a feature that allows one to specify the order in which packets are seen by its two packet filters (pf & ipfw)

    sysctl net.inet.ip.pfil

    net.inet.ip.pfil.inbound=pf, ipfw*
    net.inet.ip.pfil.outbound=pf, ipfw*

    However in those for IPv6 (net.inet6.ip6.pfil.*) pf & ipfw appear in different order and there is no asterisk.

    Could someone please provide more info about this feature?

  • What is the path that an IP packet takes through the two pfsense packet filters (pf & ipfw) ?

    I noticed the ifconfig IPFW_FILTER flag gets added on an interface when CP is enabled on it.


  • That puts the order on which pfil(9) consumers 'taste' packets.

    It was developed first for overcoming some issues but now its not used at all as you can see from the * in ipfw its not a pfil(9) consumer as used in pfSense.

