FreeBSD 8.2 + pf + ipfw (dummynet)

Ermal Luçi eri at freebsd.org
Thu Jul 14 08:55:57 UTC 2011 

2011/7/14 Murat SÜRÜCÜ <msurucu at karaelmas.edu.tr>:
> I think the problem is dummynet corrupts PF state information. What can i do
> for prevent it?

Its not a corruption but the way pf(4) works.

In pfSense its used this patch
https://github.com/bsdperimeter/pfsense-tools/blob/master/patches/RELENG_8_1/pfil.RELENG_8.diff

to allow reorder pfil consumers especially to avoid this problem.
It has not made to FreeBSD yet.

With this patch you can reorder pfil consumers based on your needs.
It exports the following sysctl for configuration:
net.inet.ip.pfil.inbound
net.inet.ip.pfil.outbound

So after loading pf and ipfw you can configure the order of the pfil consumers
as below to avoid the problems you are seeing.

/sbin/sysctl net.inet.ip.pfil.inbound="ipfw,pf"		
/sbin/sysctl net.inet.ip.pfil.outbound="ipfw,pf"

Otherwise you will always have the problems you see.
The other way as i told you is to be careful when loading the modules
or when joining to pfil.

>
>
> Murat
>
>
> -----Original Message-----
> From: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-pf at freebsd.org] On
> Behalf Of Murat SÜRÜCÜ
> Sent: Tuesday, July 12, 2011 8:55 AM
> To: 'Ermal Luçi'
> Cc: freebsd-pf at freebsd.org
> Subject: RE: FreeBSD 8.2 + pf + ipfw (dummynet)
>
> Thanks for reply,
> IPFW is kernel module, PF is loadable module in my config.
> And this config was normally run when version is 7.2.
>
>
> Murat
>
>
> -----Original Message-----
> From: ermal.luci at gmail.com [mailto:ermal.luci at gmail.com] On Behalf Of Ermal
> Luçi
> Sent: Tuesday, July 12, 2011 12:59 AM
> To: Murat SÜRÜCÜ
> Cc: freebsd-pf at freebsd.org
> Subject: Re: FreeBSD 8.2 + pf + ipfw (dummynet)
>
> 2011/7/11 Murat SÜRÜCÜ <msurucu at karaelmas.edu.tr>:
>> Hello,
>>
>> I used PF and dummynet together about two years and worked fine.
>> Recently i have upgraded the system 7.2 to 8.2 and dummynet doesn't
>> work anymore.
>> If any packet belong the client IP puts any pipe, it drops and pflog
>> says it blocked by last pf rule. But it match previous rule.
>> If i disable (flush) the ipfw rules, packets pass normally.
>>
>> Does anybody have same experience?
>
> You have to make sure ipfw module is loaded first otherwise you will hit pf
> states twice which will drop as you see.
>
>>
>> http://forums.freebsd.org/showthread.php?t=24947
>>
>> Thanks.
>>
>> Murat
>>
>>
>> _______________________________________________
>> freebsd-pf at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>>
>
>
>
> --
> Ermal
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
>



-- 
Ermal

More information about the freebsd-pf mailing list