traffic shaping on RELENG_10 ?
Ian Smith
smithi at nimnet.asn.au
Fri Dec 18 11:58:18 UTC 2015
On Thu, 17 Dec 2015 14:24:34 -0500, Kenneth D. Merry wrote:
> On Wed, Dec 16, 2015 at 15:20:26 -0500, Mike Tancsa wrote:
> > I need to do some simple traffic shaping, but whenever I try and use
> > altq, I dont seem to have any luck-- I mean zero.
>
> It took me a while to get ALTQ working. More below..
>
> > I like the management of pf via pf.conf, but miss the simplicity of
> > dummynet and ipfw. Has anyone used pf and ipfw together in RELENG10 ?
> > Any tips / caveats ? Or am I better off re-writing the pf rules into
> > ipfw and be done with it.
>
> I'm using ipfw for firewall and in-kernel NAT, and ALTQ (configured via pf)
> for traffic shaping.
I also greatly appreciate your post on this, Ken.
I've been wondering about doing the opposite, after over 15 years using
ipfw and over 12 years using dummynet, ie trying pf but wanting to use
dummynet for shaping, as I've always found it advantageous to do shaping
inbound as well as outbound, which pf doesn't do, like tc in linux where
I'd had to do some real work getting tc to shape inbound by treating it
as outbound traffic on the inside interface - which does work fine in a
rather internet-cafe environment requiring judicious cat-herding :)
Does anyone know if it's possible to use ipfw just for dummynet shaping,
using pf rules for filtering, in terms of the ordering of pfil(9) hooks?
> One thing that was non-obvious with the in-kernel NAT versus the userland
> natd(8) was that you have to set 'sysctl net.inet.ip.fw.one_pass=0'.
> Otherwise the rules after the NAT step in the ipfw configuration are
> skipped.
Also needed when using dummynet - or netgraph, or reass; it's rather too
heavily overloaded, and I've always thought its default of 1 to be the
opposite of what most people want .. way too late to change it though.
> In-kernel NAT:
>
> ${fwcmd} nat 123 config log if ${oif} same_ports unreg_only
>
> # This is necessary with the in-kernel NAT to re-inject packets once they've
> # gone through the NAT.
> sysctl net.inet.ip.fw.one_pass=0
${fwcmd} disable one_pass # accomplishes the same thing.
> ${fwcmd} enable altq
cheers, Ian
More information about the freebsd-stable
mailing list