heads up: IPFW + dummynet and PF in 14.0 and later
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 01 Mar 2024 16:53:15 UTC
Dear contributors and PF users, I have recently bumped into serious trouble after upgrading one of the firewalls to 14.0-STABLE. On previously running 13.3-STABLE it was utilized special setup where IPFW with dummynet was shaping traffic and PF was a real firewall. Since it was rather complex firewall with hundreds of rules, many anchors and packet tagging, finding the breakage took some time. I know it was never recommended to use both: IPFW and PF simultaneously, but it worked flawlessly, IIRC from FreeBSD 10.0 times. So finally it came out that using IPFW with dummynet for shaping was the culprit of the breakage. I transitioned to new dnpipe PF syntax then, by adding one line to pf.conf: match out on $int_if_1 proto tcp from any to <Virt-PCs> tagged VIRTPC dnpipe (17, 18) then enabling and configuring dnctl: sysrc dnctl_enable=YES cat << EOF > /etc/dnct.conf pipe 17 config bw 70Mbits/s buckets 512 mask dst-ip 0x0001ffff pipe 18 config bw 100Mbits/s buckets 512 mask src-ip 0x0001ffff EOF FWIW: when the problem was identified, the transition was rather straightforward and easy, pipes work flawlessly and respect tagging. The only drawback I noticed is that "burst" keyword was rejected when configuring the pipes. Cheers -- Marek Zarychta