[PATCH] PF+dummynet
Ermal Luçi
eri at freebsd.org
Wed Jul 13 15:35:46 UTC 2011
On Wed, Jul 13, 2011 at 3:00 AM, Peter Jeremy
<peter.jeremy at alcatel-lucent.com> wrote:
> On 2011-Jun-29 16:26:34 +0800, Ermal Luçi <eri at freebsd.org> wrote:
>>On Wed, Jun 29, 2011 at 6:42 AM, Peter Jeremy
>><peter.jeremy at alcatel-lucent.com> wrote:
>>> Has anyone adapted the PF+dummynet patches for 8.x or 9.x?
>>
>>Well the patch is this
>>https://github.com/bsdperimeter/pfsense-tools/blob/master/patches/RELENG_8_1/dummynet.RELENG_8.diff
>>It should apply to 8.x without problems.
>>Some manual work for any rejection might be needed because of other
>>patches present in pfSense.
>
> I notice that the issue of pipe/queue configuration has been excised
> from pfctl(8) and relies on ipfw(8) (hopefully only as a stopgap).
> Having looked at how ipfw(4) and dummynet(4) have been roto-tilled,
> I can understand why, but this is not especially convenient for me
> and I'm looking at implementing the missing functionality.
>
> There appear to be two possible approaches to move forward:
> 1) Include ipfw/dummynet.c into pfctl(8) and modify pfctl/parse.y
> to accumulate pipe/queue configuration options into an argv array
> that can be passed to ipfw_config_pipe().
> 2) Implement the functional equivalent of ipfw/dummynet.c::ipfw_config_pipe()
> in pfctl/parse.y.
>
> The former approach looks simpler (apart from the code to collect the
> arguments into an argv array, there are 8 fairly simple support
> functions that need to be implemented or copied from ipfw) but it's
> not clear that the error handling approaches are compatible. The
> latter appears to be more work and results in more code duplication
> but maintains better internal consistency in pfctl.
>
This feels hackish.
I reverted back from having the pipes configured in pfctl because it
will be a catching game with ipfw.
To me it seems quite awkward that you cannot use ipfw to do all the
configuration and
just use the pipe/queue numbers for sending traffic to it on pfctl.
This is the way done in pfSense and works very well.
This is the same analogy ipfw uses for altq configuration iirc.
The only thing i have considered on improving is using names as in altq
instead of numbers. Though this is a nice to have rather than a must.
To me something that is glued on ipfw should stay there as it will get
the best support.
Possibly splitting dummynet configuration out to dnctl might have an argument.
> (The other two approaches I considered but discarded were to use
> ipfw(8) for configuration or to copy struct dn_pipe{7,8} from
> ip_dn_glue.c and continue to use the deprecated IP_DUMMYNET_CONFIGURE
> interface).
>
> Has the pfSense Project looked at how it will implement pipe/queue
> configuration? And, if so, what approach will you be using?
>
pfSense has support for dummynet in pf(4) on its 2.0 branch for a
really long time now.
It works very well in many setups tested.
> --
> Peter Jeremy
>
--
Ermal
More information about the freebsd-pf
mailing list