Site Navigation

Date:      Fri, 30 Aug 2019 12:27:40 +0200
From:      "Kristof Provost" <kp@FreeBSD.org>
To:        "Goran =?utf-8?q?Meki=C4=87?=" <meka@tilda.center>
Cc:        "Andrew White" <andywhite@gmail.com>, freebsd-net@freebsd.org
Subject:   Re: pf (rules and nat) + (ipfw + dummynet)
Message-ID:  <B6C36E1C-E1BD-4AA4-8223-E1990BD61291@FreeBSD.org>
In-Reply-To: <20190818093346.jjxdjkd5twzfg56c@hal9000.home.meka.rs>
References:  <CAOZMOUFfzoVj2mtOHcQRpkrjU%2B02-kik%2BNt7m0_oELUW=H=RXg@mail.gmail.com> <20190817215151.GA8888@vega.codepro.be> <20190818093346.jjxdjkd5twzfg56c@hal9000.home.meka.rs>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On 18 Aug 2019, at 11:33, Goran Mekić wrote:
> Hello,
>
> If I knew we almost made it compile and boot (with dummynet, pf and 
> pflog loaded),
> I would postpone the previous email. :o)
>
> The code I'm working on is 
> https://github.com/mekanix/freebsd/tree/feature/pf+dummynet/12.0.
> It is nothing more than releng/12.0 branch into which I copied parts 
> of PFSense
> code until it started working. I still don't know how to test it, as 
> I'm not
> sure what's the PFSense's syntax for pf.conf. I know you can use "ipfw
> pipe list" to show the pipes without ipfw module loaded. Once loaded,
> ipfw lets you manage dummynet. What I do for now is load ipfw, set the
> pipes, unload ipfw.
>
> If anyone knows how to configure pf.conf so that it passes everything
> it receives to dummynet, I'm all ears. I will "fork" /sbin/ipfw and
> create /sbin/dnctl so we don't have to depend on IPFW at all, but I
> would like it to start working like this, first.
>
Apple do this through dnctl as you’re proposing: 
http://www.manpagez.com/man/8/dnctl/
They’ve even published source code for it: 
https://opensource.apple.com/source/network_cmds/network_cmds-543.260.3/dnctl/

I’m somewhat tempted towards an approach where the pipe definitions 
are part of pf.conf, for similarity with how ALTQ worked in pf, and how 
dummynet now works in ipfw. That’s probably not a hard requirement 
though. If it makes more sense to have two tools then let’s go for 
that.

> My concerns about this patch is that it changes IPFW, too. I don't 
> know
> if the following link is visible if you're not logged into github, but
> it shows the difference between releng/12.0 and this branch:
> https://github.com/freebsd/freebsd/compare/releng/12.0...mekanix:feature/pf+dummynet/12.0?expand=1
>
One of the issues I have with the PFSense patches is that they’re not 
broken down into usefully documented chunks. From a quick look that diff 
seems to contain completely unrelated changes.
Part of the effort is certainly going to be to tease that apart, and 
work out what bits are relevant (and *why*).

Best regards,
Kristof
From owner-freebsd-net@freebsd.org  Fri Aug 30 11:19:06 2019
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4A9D5CB45F
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Fri, 30 Aug 2019 11:19:06 +0000 (UTC)
 (envelope-from patfbsd@davenulle.org)
Received: from sender4-of-o59.zoho.com (sender4-of-o59.zoho.com
 [136.143.188.59])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 46KcS85cN3z4109
 for <freebsd-net@freebsd.org>; Fri, 30 Aug 2019 11:19:04 +0000 (UTC)
 (envelope-from patfbsd@davenulle.org)
ARC-Seal: i=1; a=rsa-sha256; t67163941; cv=none; d=zoho.com; s=zohoarc;
 b=Lbkog3vtZ0njz1v3vRcEVVAT+BoOt7B5BcqiiAmTCmxuDRamPv4RrfaFSaBKIAr63KBSj+EvD+kxrX/Y+l1Gc80LzfFiQeJaJVFhcAkXT3hDLWt3kNfcbHvfI9jGlyVQvLiUjxVm6Ax7hrTJMtdo1QGW5GeKH0eqnj48rsSEFLgARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com;
 s=zohoarc; t67163941;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To:ARC-Authentication-Results;
 bh=7z8QAvzBA8XXn2axV+W6V7qsi30wSwDOm5XMz3upOs0=;
 b=Xn6kSDSQukxYgw7pz80YCeW/lwdE3gCedqfnYZO2B9mZdFCudtYv/Xibzu007gx4NtXCJL5A1eyI19qcwMTnHpWEOJX7GbFOfTZpY2F5sNi+KJmZqrlhXyYFXaX5yYjS8A3ddnjq06c+Mq+EA222w40pMnIMEiTQK7OAi9XaXYIARC-Authentication-Results: i=1; mx.zoho.com;
 dkim=pass  header.iÚvenulle.org;
 spf=pass  smtp.mailfrom=patfbsd@davenulle.org;
 dmarc=pass header.from=<patfbsd@davenulle.org>
 header.from=<patfbsd@davenulle.org>
Received: from mr185033.univ-rennes1.fr (mr185033.univ-rennes1.fr
 [129.20.185.33]) by mx.zohomail.com
 with SMTPS id 1567163939869532.453351156497;
 Fri, 30 Aug 2019 04:18:59 -0700 (PDT)
Date: Fri, 30 Aug 2019 13:18:52 +0200
From: Patrick Lamaiziere <patfbsd@davenulle.org>
To: freebsd-net@freebsd.org
Subject: Re: problem with carp on 11.3-RELEASE
Message-ID: <20190830131852.42604d56@mr185033.univ-rennes1.fr>
In-Reply-To: <20190829125441.12197ea8@mr185033.univ-rennes1.fr>
References: <20190829125441.12197ea8@mr185033.univ-rennes1.fr>
X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-ZohoMailClient: External
X-Rspamd-Queue-Id: 46KcS85cN3z4109
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of patfbsd@davenulle.org has no SPF policy
 when checking 136.143.188.59) smtp.mailfrom=patfbsd@davenulle.org
X-Spamd-Result: default: False [-5.75 / 15.00]; RCVD_TLS_LAST(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[];
 DMARC_NA(0.00)[davenulle.org]; RCPT_COUNT_ONE(0.00)[1];
 IP_SCORE(-1.66)[ipnet: 136.143.188.0/24(-4.86), asn: 2639(-3.39), country:
 US(-0.05)]; NEURAL_HAM_SHORT(-0.99)[-0.987,0];
 RCVD_IN_DNSWL_NONE(0.00)[59.188.143.136.list.dnswl.org : 127.0.15.0];
 R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2];
 ASN(0.00)[asn:2639, ipnet:136.143.188.0/24, country:US];
 ARC_ALLOW(-1.00)[i=1]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>;
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Aug 2019 11:19:06 -0000

On Thu, 29 Aug 2019 12:54:41 +0200
Patrick Lamaiziere <patfbsd@davenulle.org> wrote:

Hello,

> I've upgraded our two firewalls from 11.2-RELEASE-p11 to 11.3 release
> p3 and I'm seeing a problem with carp, the carp slave becomes briefly
> MASTER and returns to the slave state. This occurs often.

...

I've made an other attempt today and all is working fine.
I don't know where was the issue but I think that's not related to
FreeBSD.

Sorry for the noise :-)

Regards.

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B6C36E1C-E1BD-4AA4-8223-E1990BD61291>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact