ipfw2/dummynet + ipfilter not working together ?
Artur Pydo
artur at pydo.org
Sat Oct 11 16:16:59 PDT 2003
Hi,
Mike Tancsa wrote:
> I was seeing some strange things in a very similar setup --userland PPP
> to do PPPoE, ipnat for inbound and outbound NAT and then ipfw2. Even
> though I didnt use it, adding IPDIVERT to the kernel made the problem
> box stable again.
It does not work better with IPDIVERT option in the kernel.
My IPFW/Dummynet testing rules are quite simple :
pipe 1 config bw 125Kbit/s queue 10
pipe 2 config bw 125Kbit/s queue 10
queue 10 config queue 16kByte weight 100 pipe 1 mask all
queue 11 config queue 24kByte weight 1 pipe 1 gred 0.02/3/6/0.06
queue 20 config queue 16kByte weight 100 pipe 2 mask all
queue 21 config queue 24kByte weight 1 pipe 2 gred 0.02/3/6/0.06
add 10 queue 21 tcp from any to apydo.nerim.net 80 out via tun0
add 20 queue 20 ip from any to any out via tun0
add 30 queue 11 tcp from apydo.nerim.net 80 to any in via tun0
add 40 queue 10 ip from any to any in via tun0
Ipfilter rules are more complex but it's something like that :
block in log all
block out log all
pass out quick on tun0 proto tcp from any to any flags S keep state keep
frags
pass out quick on tun0 proto udp from any to any keep state keep frags
I have tcpdump and ipfilter logs of a failing tcp connection if somebody
would like to see how the packets are dropped.
--
Best regards,
Artur Pydo.
More information about the freebsd-stable
mailing list