pf (rules and nat) + (ipfw + dummynet)
Kristof Provost
kp at FreeBSD.org
Fri Aug 30 10:27:42 UTC 2019
On 18 Aug 2019, at 11:33, Goran Mekić wrote:
> Hello,
>
> If I knew we almost made it compile and boot (with dummynet, pf and
> pflog loaded),
> I would postpone the previous email. :o)
>
> The code I'm working on is
> https://github.com/mekanix/freebsd/tree/feature/pf+dummynet/12.0.
> It is nothing more than releng/12.0 branch into which I copied parts
> of PFSense
> code until it started working. I still don't know how to test it, as
> I'm not
> sure what's the PFSense's syntax for pf.conf. I know you can use "ipfw
> pipe list" to show the pipes without ipfw module loaded. Once loaded,
> ipfw lets you manage dummynet. What I do for now is load ipfw, set the
> pipes, unload ipfw.
>
> If anyone knows how to configure pf.conf so that it passes everything
> it receives to dummynet, I'm all ears. I will "fork" /sbin/ipfw and
> create /sbin/dnctl so we don't have to depend on IPFW at all, but I
> would like it to start working like this, first.
>
Apple do this through dnctl as you’re proposing:
http://www.manpagez.com/man/8/dnctl/
They’ve even published source code for it:
https://opensource.apple.com/source/network_cmds/network_cmds-543.260.3/dnctl/
I’m somewhat tempted towards an approach where the pipe definitions
are part of pf.conf, for similarity with how ALTQ worked in pf, and how
dummynet now works in ipfw. That’s probably not a hard requirement
though. If it makes more sense to have two tools then let’s go for
that.
> My concerns about this patch is that it changes IPFW, too. I don't
> know
> if the following link is visible if you're not logged into github, but
> it shows the difference between releng/12.0 and this branch:
> https://github.com/freebsd/freebsd/compare/releng/12.0...mekanix:feature/pf+dummynet/12.0?expand=1
>
One of the issues I have with the PFSense patches is that they’re not
broken down into usefully documented chunks. From a quick look that diff
seems to contain completely unrelated changes.
Part of the effort is certainly going to be to tease that apart, and
work out what bits are relevant (and *why*).
Best regards,
Kristof
More information about the freebsd-net
mailing list