From owner-freebsd-pf@freebsd.org Sun Jul 28 21:00:49 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1D132B3EE3 for ; Sun, 28 Jul 2019 21:00:49 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 692F3766F2 for ; Sun, 28 Jul 2019 21:00:37 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: by mailman.nyi.freebsd.org (Postfix) id 68B2FB3E61; Sun, 28 Jul 2019 21:00:37 +0000 (UTC) Delivered-To: pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 68753B3E60 for ; Sun, 28 Jul 2019 21:00:37 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 678BD76687 for ; Sun, 28 Jul 2019 21:00:30 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id DC03F1D8DA for ; Sun, 28 Jul 2019 21:00:26 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x6SL0QXK070989 for ; Sun, 28 Jul 2019 21:00:26 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x6SL0Q0W070978 for pf@FreeBSD.org; Sun, 28 Jul 2019 21:00:26 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <201907282100.x6SL0Q0W070978@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 28 Jul 2019 21:00:26 +0000 MIME-Version: 1.0 X-Rspamd-Queue-Id: 678BD76687 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.99 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.997,0]; NEURAL_HAM_SHORT(-0.99)[-0.991,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Jul 2019 21:00:49 -0000 To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 203735 | Transparent interception of ipv6 with squid and p Open | 237973 | pf: implement egress keyword to simplify rules ac 2 problems total for which you should take action. From owner-freebsd-pf@freebsd.org Mon Jul 29 16:06:53 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F3197AE790 for ; Mon, 29 Jul 2019 16:06:53 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene.sentex.ca (unknown [IPv6:2607:f3e0:0:3::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "pyroxene.sentex.ca", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 90644898AF for ; Mon, 29 Jul 2019 16:06:43 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:346a:6987:6201:ec77] ([IPv6:2607:f3e0:0:4:346a:6987:6201:ec77]) by pyroxene.sentex.ca (8.15.2/8.15.2) with ESMTPS id x6TG6ex7053734 (version=TLSv1.2 cipher=AES128-SHA bits=128 verify=NO) for ; Mon, 29 Jul 2019 12:06:41 -0400 (EDT) (envelope-from mike@sentex.net) To: freebsd-pf@freebsd.org From: mike tancsa Subject: pf and dummynet Message-ID: Date: Mon, 29 Jul 2019 12:06:43 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 90644898AF X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::18 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-1.42 / 15.00]; ARC_NA(0.00)[]; RDNS_NONE(1.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-0.99)[-0.990,0]; DMARC_NA(0.00)[sentex.net]; MX_GOOD(-0.01)[smtp.sentex.ca]; NEURAL_HAM_SHORT(-0.91)[-0.905,0]; NEURAL_HAM_MEDIUM(-0.99)[-0.990,0]; IP_SCORE(-1.72)[ipnet: 2607:f3e0::/32(-4.94), asn: 11647(-3.57), country: CA(-0.09)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; HFILTER_HOSTNAME_UNKNOWN(2.50)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2019 16:06:54 -0000 I have a box I need to shape inbound and outbound traffic. It seems altq can only shape outbound packets and not limit inbound ?  If thats the case, what is the current state of mixing ipfw, dummynet and pf ? Writing large complex firewall rules works better from a readability POV (for us anyways) so I really prefer to use it. But I need to prevent zfs replication eating up BW over some WAN links, and dummynet seems to "just work" For ipfw I have 00010 6640359 9959147882 pipe 1 tcp from 192.168.128.0/20 to any 01000 3486901  228480912 allow ip from any to any and then checking my pf.conf rules, it seems to block and pass traffic as expected.  Is there anything I should explicitly check ?     ---Mike From owner-freebsd-pf@freebsd.org Mon Jul 29 17:44:02 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C6DDCB067E for ; Mon, 29 Jul 2019 17:44:02 +0000 (UTC) (envelope-from paul.g.webster@googlemail.com) Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E6E858C8DD for ; Mon, 29 Jul 2019 17:44:01 +0000 (UTC) (envelope-from paul.g.webster@googlemail.com) Received: by mail-wm1-x330.google.com with SMTP id x15so54652599wmj.3 for ; Mon, 29 Jul 2019 10:44:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:mime-version:to:from:subject:date :importance:in-reply-to:references; bh=kt0Z6XqlKcpvQFg/5xpdvPsKqSE7dp082/CmJbeBXTo=; b=NRgEOPyeh7kVvnpGMCGFhQq0evInZ0Vnx+XtKACdO2NkPG4xmdReotwe/CSITH3hC8 Y/Ju0SkMFW3hKa1VpIYXmS9uTTXd7Uw2cxtgW95NkdMNBQBOE+/lDq/kBicKCSsVEYlO XBifdpGe3+PmZx5ShXIcX3LOU7s9MZYkIcVcbRurOV3I2yqga5e8ZrqP2TviqZXlbcBI Tdvb63u7ti0wQWwRKg7Df4Qe6Rgg8jsnw5fPCkOiF51p7jP/7hMwqJFgOpvQ1suU7n2x 4KPy5T6TbztHWB0FbIerdEA/b+24I1gVXJQvEkHnY8/Ee1nfEGqUuI3853J0vmifOLtd Seiw== X-Gm-Message-State: APjAAAVcN+UTOQBo0oLUpPBN2zKPFM+1LUSDvHlbyMTIoeiqp8m5sbqX eNrLrAtYTe0Dk3abKYRboYk= X-Google-Smtp-Source: APXvYqxXSSvflLPWkN9cusRnyBE3iT2a74FzUadCRfWGhQdajwvCyaMr2Q3d0Kdhp/vMqUqTq6HWsQ== X-Received: by 2002:a1c:e108:: with SMTP id y8mr57928371wmg.65.1564422240633; Mon, 29 Jul 2019 10:44:00 -0700 (PDT) Received: from ?IPv6:::ffff:172.20.0.38? (host86-160-122-51.range86-160.btcentralplus.com. [86.160.122.51]) by smtp.gmail.com with ESMTPSA id f17sm58932956wmf.27.2019.07.29.10.43.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Jul 2019 10:43:59 -0700 (PDT) Message-ID: <5d3f305f.1c69fb81.90047.531f@mx.google.com> MIME-Version: 1.0 To: mike tancsa , "freebsd-pf@freebsd.org" From: Paul Webster Subject: RE: pf and dummynet Date: Mon, 29 Jul 2019 18:44:00 +0100 Importance: normal X-Priority: 3 In-Reply-To: References: X-Rspamd-Queue-Id: E6E858C8DD X-Spamd-Bar: ------ X-Spamd-Result: default: False [-6.98 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; FREEMAIL_FROM(0.00)[googlemail.com]; RCVD_COUNT_THREE(0.00)[3]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; DKIM_TRACE(0.00)[googlemail.com:+]; HAS_X_PRIO_THREE(0.00)[3]; NEURAL_HAM_SHORT(-0.99)[-0.986,0]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; TAGGED_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.995,0]; R_DKIM_ALLOW(-0.20)[googlemail.com:s=20161025]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[0.3.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-2.99)[ip: (-9.40), ipnet: 2a00:1450::/32(-3.04), asn: 15169(-2.45), country: US(-0.05)] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2019 17:44:02 -0000 You can mix ipfw and pf, but beware of the order they are loaded (The first= one loaded is inside the second one loaded) =E2=80=93 it may be better in = fact to compile them both in the kernel. You basically end up with: (pf)(ipfw)(system)(ipfw)(pf) =E2=80=93 assuming = pf was loaded first Sent from Mail for Windows 10 From: mike tancsa Sent: 29 July 2019 17:06 To: freebsd-pf@freebsd.org Subject: pf and dummynet I have a box I need to shape inbound and outbound traffic. It seems altq can only shape outbound packets and not limit inbound ?=C2=A0 If thats the case, what is the current state of mixing ipfw, dummynet and pf ? Writing large complex firewall rules works better from a readability POV (for us anyways) so I really prefer to use it. But I need to prevent zfs replication eating up BW over some WAN links, and dummynet seems to "just work" For ipfw I have 00010 6640359 9959147882 pipe 1 tcp from 192.168.128.0/20 to any 01000 3486901=C2=A0 228480912 allow ip from any to any and then checking my pf.conf rules, it seems to block and pass traffic as expected.=C2=A0 Is there anything I should explicitly check ? =C2=A0=C2=A0=C2=A0 ---Mike _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@freebsd.org Mon Jul 29 17:51:43 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CC1ABB0CB4 for ; Mon, 29 Jul 2019 17:51:43 +0000 (UTC) (envelope-from SRS0=7zkE=V2=vega.codepro.be=kp@codepro.be) Received: from mercury.codepro.be (mercury.codepro.be [IPv6:2001:4b98:dc0:41:216:3eff:fe31:eda8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "monitoring.codepro.be", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 83A5B8CE01 for ; Mon, 29 Jul 2019 17:51:43 +0000 (UTC) (envelope-from SRS0=7zkE=V2=vega.codepro.be=kp@codepro.be) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) by mercury.codepro.be (Postfix) with ESMTPS id 4D994904EB; Mon, 29 Jul 2019 17:49:41 +0000 (UTC) Received: from vega.codepro.be (unknown [172.16.1.3]) by venus.codepro.be (Postfix) with ESMTP id 55C9B3E9B7; Mon, 29 Jul 2019 19:51:34 +0200 (CEST) Received: by vega.codepro.be (Postfix, from userid 1001) id 51E6F2C8BB; Mon, 29 Jul 2019 19:51:34 +0200 (CEST) Date: Mon, 29 Jul 2019 19:51:34 +0200 From: Kristof Provost To: Paul Webster Cc: mike tancsa , "freebsd-pf@freebsd.org" Subject: Re: pf and dummynet Message-ID: <20190729175134.GE10541@vega.codepro.be> References: <5d3f305f.1c69fb81.90047.531f@mx.google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <5d3f305f.1c69fb81.90047.531f@mx.google.com> X-Checked-By-NSA: Probably User-Agent: Mutt/1.11.4 (2019-03-13) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2019 17:51:43 -0000 > On 2019-07-29 18:44:00 (+0100), Paul Webster via freebsd-pf wrote: > > > > Sent from Mail for Windows 10 > > > > From: mike tancsa > > Sent: 29 July 2019 17:06 > > To: freebsd-pf@freebsd.org > > Subject: pf and dummynet > > > > I have a box I need to shape inbound and outbound traffic. It seems altq > > can only shape outbound packets and not limit inbound ?  If thats the > > case, what is the current state of mixing ipfw, dummynet and pf ? > > Writing large complex firewall rules works better from a readability POV > > (for us anyways) so I really prefer to use it. But I need to prevent zfs > > replication eating up BW over some WAN links, and dummynet seems to > > "just work" > > > > For ipfw I have > > > > > > 00010 6640359 9959147882 pipe 1 tcp from 192.168.128.0/20 to any > > 01000 3486901  228480912 allow ip from any to any > > > > and then checking my pf.conf rules, it seems to block and pass traffic > > as expected.  > > > > Is there anything I should explicitly check ? > > > You can mix ipfw and pf, but beware of the order they are loaded (The > first one loaded is inside the second one loaded) – it may be better > in fact to compile them both in the kernel. > > You basically end up with: (pf)(ipfw)(system)(ipfw)(pf) – assuming pf > was loaded first Also beware of gotchas with things like IPv6 fragment handling or route-to. I do not consider mixing firewalls to be a supported configuration. If it breaks you get to keep the pieces. Regards, Kristof From owner-freebsd-pf@freebsd.org Mon Jul 29 17:59:59 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0AED9B0FD6 for ; Mon, 29 Jul 2019 17:59:59 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene.sentex.ca (unknown [IPv6:2607:f3e0:0:3::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "pyroxene.sentex.ca", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9564A8D24B for ; Mon, 29 Jul 2019 17:59:58 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:346a:6987:6201:ec77] ([IPv6:2607:f3e0:0:4:346a:6987:6201:ec77]) by pyroxene.sentex.ca (8.15.2/8.15.2) with ESMTPS id x6THxvIo061625 (version=TLSv1.2 cipher=AES128-SHA bits=128 verify=NO); Mon, 29 Jul 2019 13:59:57 -0400 (EDT) (envelope-from mike@sentex.net) Subject: Re: pf and dummynet To: Paul Webster , "freebsd-pf@freebsd.org" References: <5d3f305f.1c69fb81.90047.531f@mx.google.com> From: mike tancsa Message-ID: Date: Mon, 29 Jul 2019 13:59:57 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <5d3f305f.1c69fb81.90047.531f@mx.google.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 9564A8D24B X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::18 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-1.42 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; NEURAL_HAM_LONG(-0.98)[-0.980,0]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RDNS_NONE(1.00)[]; DMARC_NA(0.00)[sentex.net]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: smtp.sentex.ca]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.92)[-0.924,0]; NEURAL_HAM_MEDIUM(-0.99)[-0.991,0]; IP_SCORE(-1.72)[ipnet: 2607:f3e0::/32(-4.94), asn: 11647(-3.57), country: CA(-0.09)]; FREEMAIL_TO(0.00)[googlemail.com]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; HFILTER_HOSTNAME_UNKNOWN(2.50)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2019 17:59:59 -0000 Thanks, I have pf compiled in for now, and then load dummynet and ipfw as a kld.  On 7/29/2019 1:44 PM, Paul Webster wrote: > > You can mix ipfw and pf, but beware of the order they are loaded (The > first one loaded is inside the second one loaded) – it may be better > in fact to compile them both in the kernel. > >   > > You basically end up with: (pf)(ipfw)(system)(ipfw)(pf) – assuming pf > was loaded first > >   > > Sent from Mail for > Windows 10 > >   > > *From: *mike tancsa > *Sent: *29 July 2019 17:06 > *To: *freebsd-pf@freebsd.org > *Subject: *pf and dummynet > >   > > I have a box I need to shape inbound and outbound traffic. It seems altq > > can only shape outbound packets and not limit inbound ?  If thats the > > case, what is the current state of mixing ipfw, dummynet and pf ? > > Writing large complex firewall rules works better from a readability POV > > (for us anyways) so I really prefer to use it. But I need to prevent zfs > > replication eating up BW over some WAN links, and dummynet seems to > > "just work" > >   > > For ipfw I have > >   > >   > > 00010 6640359 9959147882 pipe 1 tcp from 192.168.128.0/20 to any > > 01000 3486901  228480912 allow ip from any to any > >   > > and then checking my pf.conf rules, it seems to block and pass traffic > > as expected.  > >   > > Is there anything I should explicitly check ? > >   > >     ---Mike > >   > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >   > From owner-freebsd-pf@freebsd.org Mon Jul 29 18:22:55 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 987D7B1A23 for ; Mon, 29 Jul 2019 18:22:55 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene.sentex.ca (unknown [IPv6:2607:f3e0:0:3::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "pyroxene.sentex.ca", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 776A18E330; Mon, 29 Jul 2019 18:22:55 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:346a:6987:6201:ec77] ([IPv6:2607:f3e0:0:4:346a:6987:6201:ec77]) by pyroxene.sentex.ca (8.15.2/8.15.2) with ESMTPS id x6TIMsEr063315 (version=TLSv1.2 cipher=AES128-SHA bits=128 verify=NO); Mon, 29 Jul 2019 14:22:55 -0400 (EDT) (envelope-from mike@sentex.net) Subject: Re: pf and dummynet To: Kristof Provost , Paul Webster Cc: "freebsd-pf@freebsd.org" References: <5d3f305f.1c69fb81.90047.531f@mx.google.com> <20190729175134.GE10541@vega.codepro.be> From: mike tancsa Message-ID: <8e58346b-5540-b47e-e446-1a5bb11743d3@sentex.net> Date: Mon, 29 Jul 2019 14:22:54 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <20190729175134.GE10541@vega.codepro.be> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 776A18E330 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.97 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.97)[-0.975,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[]; REPLY(-4.00)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2019 18:22:55 -0000 On 7/29/2019 1:51 PM, Kristof Provost wrote: > > Also beware of gotchas with things like IPv6 fragment handling or > route-to. > > I do not consider mixing firewalls to be a supported configuration. If > it breaks you get to keep the pieces. Thanks, I was worried about that!  Is there a way to get altq to limit inbound traffic directed to a server ?  I would prefer not mixing and matching, but I dont see any other way other than going to ipfw which I would rather not     ---Mike From owner-freebsd-pf@freebsd.org Mon Jul 29 18:38:08 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2F767B1F4B for ; Mon, 29 Jul 2019 18:38:08 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 107D78ED6A; Mon, 29 Jul 2019 18:38:08 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id C3874148E2; Mon, 29 Jul 2019 18:38:07 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [10.10.132.2] (ptr-8rh08jyg0nestgh19od.18120a2.ip6.access.telenet.be [IPv6:2a02:1811:240e:402:18f4:f54e:bc1c:a83d]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 068053EAA5; Mon, 29 Jul 2019 20:38:05 +0200 (CEST) From: "Kristof Provost" To: "mike tancsa" Cc: "Paul Webster" , freebsd-pf@freebsd.org Subject: Re: pf and dummynet Date: Mon, 29 Jul 2019 20:38:03 +0200 X-Mailer: MailMate (2.0BETAr6137) Message-ID: In-Reply-To: <8e58346b-5540-b47e-e446-1a5bb11743d3@sentex.net> References: <5d3f305f.1c69fb81.90047.531f@mx.google.com> <20190729175134.GE10541@vega.codepro.be> <8e58346b-5540-b47e-e446-1a5bb11743d3@sentex.net> MIME-Version: 1.0 X-Rspamd-Queue-Id: 107D78ED6A X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.996,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.988,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US] Content-Type: text/plain; charset=utf-8; format=flowed; markup=markdown Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2019 18:38:08 -0000 On 29 Jul 2019, at 20:22, mike tancsa wrote: > On 7/29/2019 1:51 PM, Kristof Provost wrote: >> >> Also beware of gotchas with things like IPv6 fragment handling or >> route-to. >> >> I do not consider mixing firewalls to be a supported configuration. >> If >> it breaks you get to keep the pieces. > > Thanks, I was worried about that!  Is there a way to get altq to > limit > inbound traffic directed to a server ?  I would prefer not mixing and > matching, but I dont see any other way other than going to ipfw which > I > would rather not > I don’t know. I’m not very familiar with altq. In general I’d expect quality of service and bandwidth limits to only be effective in the upstream direction (when going from a fast link to a slow one). There’s no good way to limit how much traffic other machines send to you. Regards, Kristof From owner-freebsd-pf@freebsd.org Mon Jul 29 19:32:38 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CD076B370F for ; Mon, 29 Jul 2019 19:32:38 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene.sentex.ca (unknown [IPv6:2607:f3e0:0:3::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "pyroxene.sentex.ca", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 43221690AE; Mon, 29 Jul 2019 19:32:38 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:346a:6987:6201:ec77] ([IPv6:2607:f3e0:0:4:346a:6987:6201:ec77]) by pyroxene.sentex.ca (8.15.2/8.15.2) with ESMTPS id x6TJWaST068466 (version=TLSv1.2 cipher=AES128-SHA bits=128 verify=NO); Mon, 29 Jul 2019 15:32:36 -0400 (EDT) (envelope-from mike@sentex.net) Subject: Re: pf and dummynet To: Kristof Provost Cc: Paul Webster , freebsd-pf@freebsd.org References: <5d3f305f.1c69fb81.90047.531f@mx.google.com> <20190729175134.GE10541@vega.codepro.be> <8e58346b-5540-b47e-e446-1a5bb11743d3@sentex.net> From: mike tancsa Message-ID: Date: Mon, 29 Jul 2019 15:32:36 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 43221690AE X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::18 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-1.44 / 15.00]; ARC_NA(0.00)[]; RDNS_NONE(1.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; NEURAL_HAM_LONG(-0.98)[-0.976,0]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[sentex.net]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: smtp.sentex.ca]; NEURAL_HAM_SHORT(-0.96)[-0.959,0]; NEURAL_HAM_MEDIUM(-0.97)[-0.974,0]; IP_SCORE(-1.72)[ipnet: 2607:f3e0::/32(-4.94), asn: 11647(-3.57), country: CA(-0.09)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; HFILTER_HOSTNAME_UNKNOWN(2.50)[]; MID_RHS_MATCH_FROM(0.00)[]; FREEMAIL_CC(0.00)[googlemail.com] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2019 19:32:38 -0000 On 7/29/2019 2:38 PM, Kristof Provost wrote: > > On 29 Jul 2019, at 20:22, mike tancsa wrote: > > On 7/29/2019 1:51 PM, Kristof Provost wrote: > > Also beware of gotchas with things like IPv6 fragment handling or > route-to. > > I do not consider mixing firewalls to be a supported > configuration. If > it breaks you get to keep the pieces. > > Thanks, I was worried about that!  Is there a way to get altq to limit > inbound traffic directed to a server ?  I would prefer not mixing and > matching, but I dont see any other way other than going to ipfw > which I > would rather not > > I don’t know. I’m not very familiar with altq. > > In general I’d expect quality of service and bandwidth limits to only > be effective in the upstream direction (when going from a fast link to > a slow one). There’s no good way to limit how much traffic other > machines send to you. > Another problem is that altq doesnt seem to work with all NICs.  Although cxgbe is listed in the man page still # grep cxl /etc/pf.conf altq on cxl0 cbq bandwidth 2000Mb queue { zrepl,  default } # pfctl -f /etc/pf.conf pfctl: cxl0: driver does not support altq # # man altq | grep -i cxgb      bce(4), bfe(4), bge(4), bxe(4), cas(4), cxgbe(4), dc(4), de(4), ed(4),     ---Mike From owner-freebsd-pf@freebsd.org Mon Jul 29 20:15:54 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 92483B4901 for ; Mon, 29 Jul 2019 20:15:54 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C8C886B03B; Mon, 29 Jul 2019 20:15:53 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1]) by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id x6TKFodW045850; Mon, 29 Jul 2019 13:15:50 -0700 (PDT) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: (from freebsd-rwg@localhost) by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id x6TKFoYH045849; Mon, 29 Jul 2019 13:15:50 -0700 (PDT) (envelope-from freebsd-rwg) From: "Rodney W. Grimes" Message-Id: <201907292015.x6TKFoYH045849@gndrsh.dnsmgr.net> Subject: Re: pf and dummynet In-Reply-To: To: Kristof Provost Date: Mon, 29 Jul 2019 13:15:50 -0700 (PDT) CC: mike tancsa , freebsd-pf@freebsd.org X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-Rspamd-Queue-Id: C8C886B03B X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [3.33 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.86)[0.856,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[dnsmgr.net]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.85)[0.850,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: gndrsh.dnsmgr.net]; NEURAL_SPAM_LONG(0.69)[0.693,0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:13868, ipnet:69.59.192.0/19, country:US]; MID_RHS_MATCH_FROM(0.00)[]; IP_SCORE(0.04)[ip: (0.15), ipnet: 69.59.192.0/19(0.07), asn: 13868(0.05), country: US(-0.05)] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2019 20:15:54 -0000 > On 29 Jul 2019, at 20:22, mike tancsa wrote: > > On 7/29/2019 1:51 PM, Kristof Provost wrote: > >> > >> Also beware of gotchas with things like IPv6 fragment handling or > >> route-to. > >> > >> I do not consider mixing firewalls to be a supported configuration. > >> If > >> it breaks you get to keep the pieces. > > > > Thanks, I was worried about that!? Is there a way to get altq to > > limit > > inbound traffic directed to a server ?? I would prefer not mixing and > > matching, but I dont see any other way other than going to ipfw which > > I > > would rather not > > > I don?t know. I?m not very familiar with altq. > > In general I?d expect quality of service and bandwidth limits to only > be effective in the upstream direction (when going from a fast link to a > slow one). There?s no good way to limit how much traffic other > machines send to you. Though dummynet is most effective in on the outbound stream (absolute control) it can be used to good effect on an incoming stream due to the end-to-end paradigm of the internet and the fact that congestion must be dealt with. If dummynet holds packets and parcels them into a box at a lower rate for things like TCP you'll end up reducing the congestion window and hence the senders rate. Or you can get into the ACK clock situation here the sender simply does not send any more data until it gets an ack back as it already has filled the congestion window. I have been using dummynet for decades in this way, and it more or less "just works." > Regards, > Kristof -- Rod Grimes rgrimes@freebsd.org From owner-freebsd-pf@freebsd.org Mon Jul 29 20:18:07 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 519D0B4A13 for ; Mon, 29 Jul 2019 20:18:07 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 035576B0F7; Mon, 29 Jul 2019 20:18:07 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id A30BF154B1; Mon, 29 Jul 2019 20:18:06 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [10.10.132.2] (ptr-8rh08jyg0nestgh19od.18120a2.ip6.access.telenet.be [IPv6:2a02:1811:240e:402:18f4:f54e:bc1c:a83d]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id DB6F93EC31; Mon, 29 Jul 2019 22:18:04 +0200 (CEST) From: "Kristof Provost" To: "Rodney W. Grimes" Cc: "mike tancsa" , freebsd-pf@freebsd.org Subject: Re: pf and dummynet Date: Mon, 29 Jul 2019 22:18:03 +0200 X-Mailer: MailMate (2.0BETAr6137) Message-ID: In-Reply-To: <201907292015.x6TKFoYH045849@gndrsh.dnsmgr.net> References: <201907292015.x6TKFoYH045849@gndrsh.dnsmgr.net> MIME-Version: 1.0 X-Rspamd-Queue-Id: 035576B0F7 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.996,0]; NEURAL_HAM_SHORT(-0.98)[-0.985,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:96.47.64.0/20, country:US] Content-Type: text/plain; charset=utf-8; markup=markdown Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2019 20:18:07 -0000 On 29 Jul 2019, at 22:15, Rodney W. Grimes wrote: >> On 29 Jul 2019, at 20:22, mike tancsa wrote: >>> On 7/29/2019 1:51 PM, Kristof Provost wrote: >> In general I?d expect quality of service and bandwidth limits to only >> be effective in the upstream direction (when going from a fast link to a >> slow one). There?s no good way to limit how much traffic other >> machines send to you. > > Though dummynet is most effective in on the outbound > stream (absolute control) it can be used to good effect > on an incoming stream due to the end-to-end paradigm of > the internet and the fact that congestion must be dealt > with. > > If dummynet holds packets and parcels them into a box at > a lower rate for things like TCP you'll end up reducing > the congestion window and hence the senders rate. Or you > can get into the ACK clock situation here the sender simply > does not send any more data until it gets an ack back as > it already has filled the congestion window. > > I have been using dummynet for decades in this way, > and it more or less "just works." > True, with the caveat that that’s only for TCP of course. Regards, Kristof From owner-freebsd-pf@freebsd.org Mon Jul 29 23:45:07 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C5C39BA457 for ; Mon, 29 Jul 2019 23:45:07 +0000 (UTC) (envelope-from nvass@gmx.com) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D81B182D64 for ; Mon, 29 Jul 2019 23:45:05 +0000 (UTC) (envelope-from nvass@gmx.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1564443895; bh=2B0YfnTkTf7j4EAFwVwrA6lZofSdSuLXxOL+XsCqeC8=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=EHHeyjkll7c/8eC4aCDORprTCzgO8JuAv2WN9txtc1E/093qX/fv8TvwzW1gLndI4 1kpgRuNzCOGRGIddPzJfXXQ5pJHX+cnLqJEhDjxNHFC8LI5Mi5UgmDXZ9B2rrRRtIr 4ezr/H6+MQ6YVv+f+kwaBbb2G6WJm0LeDSWTL7f4= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from moby.local ([176.58.245.205]) by mail.gmx.com (mrgmx003 [212.227.17.184]) with ESMTPSA (Nemesis) id 0Le5XQ-1iArzN3yrE-00prtO; Tue, 30 Jul 2019 01:39:42 +0200 Subject: Re: pf and dummynet To: mike tancsa , freebsd-pf@freebsd.org References: From: Nikos Vassiliadis Message-ID: Date: Tue, 30 Jul 2019 02:39:34 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:zWw5rFOm4HBB0MTLdes6iSh1n574Dia0Ef69KaxtbzyqMzr7zzo rakd/aOciIhFO8ngocKY7b9DipZN/ByBk+3WJ8tABNw1BxortciJ3ALnAskyHQdOZ+wxLU6 +fGC+0qoTtdf2BmgHG3XaCsL/HpxYTI6zRJfaBPlLDTfIMmtKYqSad+0wC3TX7i3myu69Eg Rej+5CbGtfybB/9xdQA4A== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:pqYSDZ3fEBc=:4JR0thrrfC/DnJ03a/fXo1 LwRtIWaa8kKgACM4mTzQFLjLApylUZ5+ip7mSNSydSvaauChHmwIZ5cQUwPtmCQQhOZh/Mbxl qThpYOZhXSaKcQTcuCBV4QQvacI1A2dZDnkE8EtX900OJJQ+e3ZxNYze0gwQy2oypZVBdKlUf kXPMwJzrAQYb8BE75WA6wCnlDsZhoSszL/hNJkGWFLpX42oDqFmkJt/Jxv60g5bBMjBIoOd83 cM65Qrug4FKgOQIoIMeue16Ks7DSAM6lXdLiri3qTdYTI3zDDT4O7Gl7k8Jp7qswqMdvycLlm wwaYCcikMOK6EAqQDDqDrN3Yis6gxwZvK8IuiitKOE5Ezz2J54qjeHErP7PMGKiJKouKF6lwZ TENyqZ35/E03hayXD1tPZ+/B3XWi6kf9H7qIgCFi3T3GbtZpxDO22zsQZDd1fGkeMrlMm6fKC ZZ8XuUYcHUHkFHoPEaVx9lnp061CwZjhsYOyVMzcScfuIAl3H/ZA4HpeUCfFBJp5kFMlevIJv BMxyYh5qd0eizXA+wnPuJLgk2uApf9NhL8kJXiDHoMc8uGuu876eX+08SJZA2uuBd1KBAOszS Meidhyt4WX+22D36nu9w3JfGP2Lh7q66RsMMqW2yQdpe6IL5lvTCVZBwLgyF3FwnYOEGL9a4H m5SXU/uGB3mKjHkygprq8w5SA7Xl9jZxn7Akbzad9pQgCt9mzax7+inEwH1nRtB4RiMItnKxn iGotafu4dWLh5RGl5y0410conDsdk7xC31U/8UE3/ZjCbnXCHHi1SxbTSgaxCe+0Z05f1mgvO Ur3yNMIrApEr09F5TptkIPeWoF5WZIpTeEyJ6Io1XhXvA4pbRarRtUnqVItjbCaCKtqw/rRZG bqSsnrCHI8YdaFa+h/wyt17rTlzr8N1wRZvvPfHuYWUi+0JHonDKKWXt+oO0wgfQtgx/KkTd9 FtrP+Mw9F9fooJZCzJuaSJ2aSw+s8LawCqS0SiQGa8cUy5d98LrmS+ui7ju+Cjyg3WJvwxdv1 MNv1ZbV6xaiWXM7Bj8D88jXyGFCYV4+aNbLn77VIS/BPOs24f3hNpYx1tkRAPqTv/4CtGq+9R x19ztG0ZZKGtr0= X-Rspamd-Queue-Id: D81B182D64 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=EHHeyjkl; spf=pass (mx1.freebsd.org: domain of nvass@gmx.com designates 212.227.15.15 as permitted sender) smtp.mailfrom=nvass@gmx.com X-Spamd-Result: default: False [-4.70 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:212.227.15.0/24]; FREEMAIL_FROM(0.00)[gmx.com]; DKIM_TRACE(0.00)[gmx.net:+]; RCPT_COUNT_TWO(0.00)[2]; MX_GOOD(-0.01)[mx01.gmx.net,mx00.gmx.net]; NEURAL_HAM_SHORT(-0.96)[-0.959,0]; RECEIVED_SPAMHAUS_PBL(0.00)[205.245.58.176.zen.spamhaus.org : 127.0.0.11]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmx.com]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[gmx.com]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[15.15.227.212.list.dnswl.org : 127.0.3.0]; IP_SCORE(-1.23)[ip: (-7.00), ipnet: 212.227.0.0/16(-1.45), asn: 8560(2.31), country: DE(-0.01)]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2019 23:45:07 -0000 Hi, On 2019-07-29 19:06, mike tancsa wrote: > I have a box I need to shape inbound and outbound traffic. It seems altq > can only shape outbound packets and not limit inbound ?=C2=A0 If thats t= he > case, what is the current state of mixing ipfw, dummynet and pf ? > Writing large complex firewall rules works better from a readability POV > (for us anyways) so I really prefer to use it. But I need to prevent zfs > replication eating up BW over some WAN links, and dummynet seems to > "just work" Maybe you could use pipe viewer (pv in ports or packages) on the ZFS host to limit the bandwidth in userspace. Nikos From owner-freebsd-pf@freebsd.org Tue Jul 30 00:06:11 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 54516BADF2 for ; Tue, 30 Jul 2019 00:06:11 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3F089836A1; Tue, 30 Jul 2019 00:06:06 +0000 (UTC) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1]) by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id x6U0621b046602; Mon, 29 Jul 2019 17:06:02 -0700 (PDT) (envelope-from freebsd-rwg@gndrsh.dnsmgr.net) Received: (from freebsd-rwg@localhost) by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id x6U062pP046601; Mon, 29 Jul 2019 17:06:02 -0700 (PDT) (envelope-from freebsd-rwg) From: "Rodney W. Grimes" Message-Id: <201907300006.x6U062pP046601@gndrsh.dnsmgr.net> Subject: Re: pf and dummynet In-Reply-To: To: Kristof Provost Date: Mon, 29 Jul 2019 17:06:02 -0700 (PDT) CC: "Rodney W. Grimes" , mike tancsa , freebsd-pf@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-Rspamd-Queue-Id: 3F089836A1 X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [3.23 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.76)[0.762,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[dnsmgr.net]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.84)[0.840,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: gndrsh.dnsmgr.net]; NEURAL_SPAM_LONG(0.70)[0.695,0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:13868, ipnet:69.59.192.0/19, country:US]; MID_RHS_MATCH_FROM(0.00)[]; IP_SCORE(0.04)[ip: (0.14), ipnet: 69.59.192.0/19(0.07), asn: 13868(0.05), country: US(-0.05)] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jul 2019 00:06:11 -0000 > On 29 Jul 2019, at 22:15, Rodney W. Grimes wrote: > >> On 29 Jul 2019, at 20:22, mike tancsa wrote: > >>> On 7/29/2019 1:51 PM, Kristof Provost wrote: > >> In general I?d expect quality of service and bandwidth limits to only > >> be effective in the upstream direction (when going from a fast link to a > >> slow one). There?s no good way to limit how much traffic other > >> machines send to you. > > > > Though dummynet is most effective in on the outbound > > stream (absolute control) it can be used to good effect > > on an incoming stream due to the end-to-end paradigm of > > the internet and the fact that congestion must be dealt > > with. > > > > If dummynet holds packets and parcels them into a box at > > a lower rate for things like TCP you'll end up reducing > > the congestion window and hence the senders rate. Or you > > can get into the ACK clock situation here the sender simply > > does not send any more data until it gets an ack back as > > it already has filled the congestion window. > > > > I have been using dummynet for decades in this way, > > and it more or less "just works." > > > True, with the caveat that that?s only for TCP of course. All protocols transported over the internet should have some form of congestion control, sometimes that is packet loss :-) Most protocols have similiar issues that do lead to self clocking when the above is implemented. If you slow down the packets the protocol slows down overall except for very short lived things. >From our (Some Congestion Experienced developement group) recent letter to the chairs of ietf tsvwg in regards to L4S working group last call we rasied this point: RFC-8311 section 2.1: Effective congestion control is REQUIRED. These principles applies to all traffic transported over the internet and the ietf is not going to approve any thing that ignores congestion. Hence anything that does not respond to the above traffic mettering (congestion) situation is fundemantally broken by standard now. People are now talking about pacing IW10 in TCP (I believe this is already implemented in Linux, iirc Randall explained to me what Netflix does as this burst tends to cause subtle problems. > Regards, > Kristof -- Rod Grimes rgrimes@freebsd.org From owner-freebsd-pf@freebsd.org Tue Jul 30 00:36:50 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BA0DCBB793 for ; Tue, 30 Jul 2019 00:36:50 +0000 (UTC) (envelope-from mike@sentex.net) Received: from pyroxene.sentex.ca (unknown [IPv6:2607:f3e0:0:3::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "pyroxene.sentex.ca", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1C90F841EB for ; Tue, 30 Jul 2019 00:36:50 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [192.168.43.26] ([192.168.43.26]) by pyroxene.sentex.ca (8.15.2/8.15.2) with ESMTP id x6U0alnv090163; Mon, 29 Jul 2019 20:36:48 -0400 (EDT) (envelope-from mike@sentex.net) Subject: Re: pf and dummynet To: Nikos Vassiliadis , freebsd-pf@freebsd.org References: From: Mike Tancsa Openpgp: preference=signencrypt Autocrypt: addr=mike@sentex.net; prefer-encrypt=mutual; keydata= mQENBEzcA24BCACpwI/iqOrs0GfQSfhA1v6Z8AcXVeGsRyKEKUpxoOYxXWc2z3vndbYlIP6E YJeifzKhS/9E+VjhhICaepLHfw865TDTUPr5D0Ed+edSsKjlnDtb6hfNJC00P7eoiuvi85TW F/gAxRY269A5d856bYrzLbkWp2lKUR3Bg6NnORtflGzx9ZWAltZbjYjjRqegPv0EQNYcHqWo eRpXilEo1ahT6nmOU8V7yEvT2j4wlLcQ6qg7w+N/vcBvyd/weiwHU+vTQ9mT61x5/wUrQhdw 2gJHeQXeDGMJV49RT2EEz+QVxaf477eyWsdQzPVjAKRMT3BVdK8WvpYAEfBAbXmkboOxABEB AAG0HG1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5jYT6JATgEEwECACIFAkzcA24CGwMGCwkI BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEJXHwM2kc8rX+sMH/2V6pTBKsQ5mpWWLgs6wVP2k BC+6r/YKNXv9Rw/PrC6+9hTbgA+sSjJ+8gxsCbJsOQXZrxF0x3l9oYdYfuKcwdwXFX1/FS8p HfBeDkmlH+dI709xT9wgrR4dS5aMmKp0scPrXPIAKiYVOHjOlNItcLYTEEWEFBepheEVsgmk GrNbcrHwOx/u4igUQ8vcpyXPyUki+BsftPw8ZQvBU887igh0OxaCR8AurJppQ5UQd63r81cX E1ZjoFoWCaGK/SjPb/OhpYpu5swoZIhOxQbn7OtakYPsDd5t2A5KhvjI8BMTnd5Go+2xsCmr jlIEq8Bi29gCcfQUvNiClevi13ifmnm5AQ0ETNwDbgEIALWGNJHRAhpd0A4vtd3G0oRqMBcM FGThQr3qORmEBTPPEomTdBaHcn+Xl+3YUvTBD/67/mutWBwgp2R5gQOSqcM7axvgMSHbKqBL 9sd1LsLw0UT2O5AYxv3EwzhG84pwRg3XcUqvWA4lA8tIj/1q4Jzi5qOkg1zxq4W9qr9oiYK5 bBR638JUvr3eHMaz/Nz+sDVFgwHmXZj3M6aE5Ce9reCGbvrae7H5D5PPvtT3r22X8SqfVAiO TFKedCf/6jbSOedPN931FJQYopj9P6b3m0nI3ZiCDVSqeyOAIBLzm+RBUIU3brzoxDhYR8pz CJc2sK8l6YjqivPakrD86bFDff8AEQEAAYkBHwQYAQIACQUCTNwDbgIbDAAKCRCVx8DNpHPK 1+iQB/99aqNtez9ZTBWELj269La8ntuRx6gCpzfPXfn6SDIfTItDxTh1hrdRVP5QNGGF5wus N4EMwXouskva1hbFX3Pv72csYSxxEJXjW16oV8WK4KjKXoskLg2RyRP4uXqL7Mp2ezNtVY5F 9nu3fj4ydpHCSaqKy5xd70A8D50PfZsFgkrsa5gdQhPiGGEdxhq/XSeAAnZ4uVLJKarH+mj5 MEhgZPEBWkGrbDZpezl9qbFcUem/uT9x8FYT/JIztMVh9qDcdP5tzANW5J7nvgXjska+VFGY ryZK4SPDczh74mn6GI/+RBi7OUzXXPgpPBrhS5FByjwCqjjsSpTjTds+NGIY Organization: Sentex Communications Message-ID: <02b24d5b-cfc1-072d-8309-6e676b0da884@sentex.net> Date: Mon, 29 Jul 2019 20:36:47 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 1C90F841EB X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:3::18 as permitted sender) smtp.mailfrom=mike@sentex.net X-Spamd-Result: default: False [-1.31 / 15.00]; ARC_NA(0.00)[]; RDNS_NONE(1.00)[]; NEURAL_HAM_MEDIUM(-0.98)[-0.978,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; NEURAL_HAM_LONG(-0.82)[-0.818,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[sentex.net]; HAS_ORG_HEADER(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: smtp.sentex.ca]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.98)[-0.981,0]; IP_SCORE(-1.72)[ipnet: 2607:f3e0::/32(-4.94), asn: 11647(-3.57), country: CA(-0.09)]; FREEMAIL_TO(0.00)[gmx.com]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; MID_RHS_MATCH_FROM(0.00)[]; HFILTER_HOSTNAME_UNKNOWN(2.50)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jul 2019 00:36:50 -0000 On 7/29/2019 7:39 PM, Nikos Vassiliadis wrote: > Hi, > > On 2019-07-29 19:06, mike tancsa wrote: > Maybe you could use pipe viewer (pv in ports or packages) on the > ZFS host to limit the bandwidth in userspace. Thanks, the replication is being done via TLS+Certs/Zepl.  It has an option to use OpenSSH and I will look at cramming in pv between that and see if that works     ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 x203 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada