From nobody Fri Mar  1 16:53:15 2024
X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TmZ0n0BTpz5ChPW
	for <freebsd-pf@mlmmj.nyi.freebsd.org>; Fri,  1 Mar 2024 16:53:29 +0000 (UTC)
	(envelope-from zarychtam@plan-b.pwste.edu.pl)
Received: from plan-b.pwste.edu.pl (plan-b.pwste.edu.pl [IPv6:2001:678:618::40])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "plan-b.pwste.edu.pl", Issuer "GEANT OV RSA CA 4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4TmZ0l28S0z4Py3
	for <freebsd-pf@freebsd.org>; Fri,  1 Mar 2024 16:53:27 +0000 (UTC)
	(envelope-from zarychtam@plan-b.pwste.edu.pl)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=plan-b.pwste.edu.pl header.s=plan-b-mailer header.b=slsFTUKX;
	dmarc=pass (policy=quarantine) header.from=plan-b.pwste.edu.pl;
	spf=pass (mx1.freebsd.org: domain of zarychtam@plan-b.pwste.edu.pl designates 2001:678:618::40 as permitted sender) smtp.mailfrom=zarychtam@plan-b.pwste.edu.pl
Received: from [192.168.7.70] (dom.potoki.eu [62.133.140.50])
	(authenticated bits=0)
	by plan-b.pwste.edu.pl (8.18.1/8.17.2) with ESMTPSA id 421GrG0d043804
	(version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO)
	for <freebsd-pf@freebsd.org>; Fri, 1 Mar 2024 17:53:16 +0100 (CET)
	(envelope-from zarychtam@plan-b.pwste.edu.pl)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=plan-b.pwste.edu.pl;
	s=plan-b-mailer; t=1709311997;
	bh=sc70fNZ7JwZkYJvxsYohgJCBrXloN7OxKvnbpvStIfA=;
	h=Date:To:From:Subject;
	b=slsFTUKXu8PHZ07Q983PQCv5SQavoGGnvns7DYrGQj3ZqVReLUbeZa/Z5UfTX7waJ
	 eDeYJX1yVuQsU9kHUzUnMIz4SlsdHu7bPPQzB3rsAcFMWPe35nLqC02A0YfVh2aG6T
	 ATFWokfGLxsOm6fAFh7KwgSToDLeOD7bKGFbSI/fWS8B9nRTfwPfpSWskYLNUykz97
	 7TumPvJaVVQ8UQoQg5RRCsPXCahNFcPzGiu0upDBCAIY59C3YVASf0oZ1oMNu6tAnX
	 VQQTVf3Ty287j3ROcFi/C9SinTzuvAcjVGJzb6mvbeUj+iEjnLAledxYxl4p9MPbao
	 KLSuYzAKNkjHQ==
X-Authentication-Warning: plan-b.pwste.edu.pl: Host dom.potoki.eu [62.133.140.50] claimed to be [192.168.7.70]
Message-ID: <b0ca0b0a-507c-48da-bc9b-beb83ed06afd@plan-b.pwste.edu.pl>
Date: Fri, 1 Mar 2024 17:53:15 +0100
List-Id: Technical discussion and general questions about packet filter (pf) <freebsd-pf.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-pf
List-Help: <mailto:pf+help@freebsd.org>
List-Post: <mailto:pf@freebsd.org>
List-Subscribe: <mailto:pf+subscribe@freebsd.org>
List-Unsubscribe: <mailto:pf+unsubscribe@freebsd.org>
Sender: owner-freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: freebsd-pf@freebsd.org
From: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Subject: heads up: IPFW + dummynet and PF in 14.0 and later
Autocrypt: addr=zarychtam@plan-b.pwste.edu.pl; keydata=
 xsBNBFfi3cMBCADLecMTFXad4uDXqv3eRuB4qJJ8G9tzzFezeRnnwxOsPdytW5ES2z1ibSrR
 IsiImx6+PTqrAmXpTInxAi7yiZGdSiONRI4CCxKY9d1YFiNYT/2WyNXCekm9x29YeIU7x0JB
 Llbz0f/9HC+styBIu2H+PY/X98Clzm110CS+n/b9l1AtiGxTiVFj7/uavYAKxH6LNWnbkuc5
 v8EVNc7NkEcl5h7Z9X5NEtzDxTOiBIFQ/kOT7LAtkYUPo1lqLeOM2DtWSXTXQgXl0zJI4iP1
 OAu4qQYm2nXwq4b2AH9peknelvnt1mpfgDCGSKnhc26q6ibTfMwydp+tvUtQIQYpA6b9ABEB
 AAHNN01hcmVrIFphcnljaHRhIChQbGFuLWIpIDx6YXJ5Y2h0YW1AcGxhbi1iLnB3c3RlLmVk
 dS5wbD7CwHcEEwEIACEFAlfi4LkCGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQHZW8
 vIFppoJXdgf8D9X3VRFSNaR9lthSx/+uqas17J3FJKBo1xMQsC2a+44vzNvYJSuPGLLJ+LW2
 HPVazjP/BWZJbxOYpliY4zxNRU0YCp0BLIVLibc//yax+mE42FND/+NiIZhqJscl6MLPrSwo
 sIwXec4XYkldkyqW/xBbBYXoIkBqdKB9j5j42Npy1IV/RizOSdmvTWY27ir8e/yGMR1RLr4F
 8P5K3OWTdlGy2H2F/3J8bIPBLG6FpaIyLQw4dHSx8V02PYqDxK1cNo2kAOnU8PnZL/AGuMOH
 iv3MN1VYL8ehcmpBBsrZGebQJxrjY2/5IaTSgp9xHYT70kshuU6Qb97vk1mOjNZxgc7ATQRX
 4t3DAQgA10h6RCXuBLMHxq5B8X/ZIlj9sgLoeyfRdDZEc9rT2KUeUJVHDsbvOFf4/7F1ovWY
 hJbA6GK/LUZeHHTjnbZcH1uDYQeHly4UOLxeEvhGoz4JhS2C7JzN/uRnwbdOAUbJr8rUj/IY
 a7gk906rktsc/Ldrxrxh7O6WO0JCh2XO/p4pDfEwwB37g4xHprSab28ECYJ9JMbtA8Sy4M55
 g3+GQ28FvSlGnx48OoGXU2BZdc1vZKSQmNOlikB+9/hDX8zdYWVfDaX1TLQ8Ib4+xTUmapza
 mV/bxIsaZRBw+jFjLQHhTbIMfPEU+4mxFDvTdbKPruKPqVf1ydgMnPZWngowdwARAQABwsBf
 BBgBCAAJBQJX4t3DAhsMAAoJEB2VvLyBaaaC6qkIAJs9sDPqrqW0bYoRfzY6XjDWQ59p9tJi
 v8aogxacQNCfAu+WkJ8PNVUtC1dlVcG5NnZ80gXzd1rc8ueIvXlvdanUt/jZd8jbb3gaDbK3
 wh1yMCGBl/1fOJTyEGYv1CRojv97KK89KP5+r8x1P1iHcSrunlDNqGxTMydNCwBH23QcOM+m
 u4spKnJ/s0VRBkw3xoKBZfZza6fTQ4gTpAipjyk7ldOGBV+PvkKATdhK2yLwuWXhKbg/GRlD
 1r5P0gxzSqfV4My+KJuc2EDcrqp1y0wOpE1m9iZqCcd0fup5f7HDsYlLWshr7NQl28f6+fQb
 sylq/j672BHXsdeqf/Ip9V4=
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Spamd-Bar: ---
X-Spamd-Result: default: False [-3.89 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	DMARC_POLICY_ALLOW(-0.50)[plan-b.pwste.edu.pl,quarantine];
	R_DKIM_ALLOW(-0.20)[plan-b.pwste.edu.pl:s=plan-b-mailer];
	R_SPF_ALLOW(-0.20)[+mx];
	ONCE_RECEIVED(0.10)[];
	MIME_GOOD(-0.10)[text/plain];
	XM_UA_NO_VERSION(0.01)[];
	RCVD_TLS_ALL(0.00)[];
	DKIM_TRACE(0.00)[plan-b.pwste.edu.pl:+];
	RCPT_COUNT_ONE(0.00)[1];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	HAS_XAW(0.00)[];
	ASN(0.00)[asn:206006, ipnet:2001:678:618::/48, country:PL];
	ARC_NA(0.00)[];
	TO_DN_NONE(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCVD_COUNT_ONE(0.00)[1];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org];
	MID_RHS_MATCH_FROM(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	MIME_TRACE(0.00)[0:+]
X-Rspamd-Queue-Id: 4TmZ0l28S0z4Py3

Dear contributors and PF users,

I have recently bumped into serious trouble after upgrading one of the 
firewalls to 14.0-STABLE. On previously running 13.3-STABLE it was 
utilized special setup where IPFW with dummynet was shaping traffic and 
PF was a real firewall. Since it was rather complex firewall with 
hundreds of rules, many anchors and packet tagging, finding the breakage 
took some time. I know it was never recommended to use both: IPFW and PF 
simultaneously, but it worked flawlessly, IIRC from FreeBSD 10.0 times. 
So finally it came out that using IPFW with dummynet for shaping was the 
culprit of the breakage. I transitioned to new dnpipe PF syntax then, by 
adding one line to pf.conf:

match out on $int_if_1 proto tcp from any to <Virt-PCs> tagged VIRTPC 
dnpipe (17, 18)

then enabling and configuring dnctl:

sysrc dnctl_enable=YES

cat  << EOF  > /etc/dnct.conf

pipe 17 config bw  70Mbits/s  buckets 512 mask dst-ip 0x0001ffff
pipe 18 config bw 100Mbits/s buckets 512 mask src-ip 0x0001ffff

EOF

FWIW: when the problem was identified,  the transition was rather 
straightforward and easy, pipes work flawlessly and respect tagging. The 
only drawback I noticed is that "burst" keyword was rejected when 
configuring the pipes.

Cheers

-- 
Marek Zarychta