Date: Thu, 14 Jul 2011 10:55:56 +0200 From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org> To: =?ISO-8859-1?B?TXVyYXQgU9xS3EPc?= <msurucu@karaelmas.edu.tr> Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD 8.2 + pf + ipfw (dummynet) Message-ID: <CAPBZQG1_Go5T9rjKw=xMv4z2%2BX2Zx4w1DdgYCzdoWqMFyCR=Dg@mail.gmail.com> In-Reply-To: <002f01cc41ff$ac02eac0$0408c040$@karaelmas.edu.tr> References: <010b01cc3fc2$7763b450$662b1cf0$@karaelmas.edu.tr> <CAPBZQG2wi4RxPdPZ4yLkryf3TuRtQGPCC=Q8AqLD5sJbsGgYpw@mail.gmail.com> <002601cc4058$36a5b170$a3f11450$@karaelmas.edu.tr> <002f01cc41ff$ac02eac0$0408c040$@karaelmas.edu.tr>
next in thread | previous in thread | raw e-mail | index | archive | help
2011/7/14 Murat S=DCR=DCC=DC <msurucu@karaelmas.edu.tr>: > I think the problem is dummynet corrupts PF state information. What can i= do > for prevent it? Its not a corruption but the way pf(4) works. In pfSense its used this patch https://github.com/bsdperimeter/pfsense-tools/blob/master/patches/RELENG_8_= 1/pfil.RELENG_8.diff to allow reorder pfil consumers especially to avoid this problem. It has not made to FreeBSD yet. With this patch you can reorder pfil consumers based on your needs. It exports the following sysctl for configuration: net.inet.ip.pfil.inbound net.inet.ip.pfil.outbound So after loading pf and ipfw you can configure the order of the pfil consum= ers as below to avoid the problems you are seeing. /sbin/sysctl net.inet.ip.pfil.inbound=3D"ipfw,pf" =09 /sbin/sysctl net.inet.ip.pfil.outbound=3D"ipfw,pf" Otherwise you will always have the problems you see. The other way as i told you is to be careful when loading the modules or when joining to pfil. > > > Murat > > > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] = On > Behalf Of Murat S=DCR=DCC=DC > Sent: Tuesday, July 12, 2011 8:55 AM > To: 'Ermal Lu=E7i' > Cc: freebsd-pf@freebsd.org > Subject: RE: FreeBSD 8.2 + pf + ipfw (dummynet) > > Thanks for reply, > IPFW is kernel module, PF is loadable module in my config. > And this config was normally run when version is 7.2. > > > Murat > > > -----Original Message----- > From: ermal.luci@gmail.com [mailto:ermal.luci@gmail.com] On Behalf Of Erm= al > Lu=E7i > Sent: Tuesday, July 12, 2011 12:59 AM > To: Murat S=DCR=DCC=DC > Cc: freebsd-pf@freebsd.org > Subject: Re: FreeBSD 8.2 + pf + ipfw (dummynet) > > 2011/7/11 Murat S=DCR=DCC=DC <msurucu@karaelmas.edu.tr>: >> Hello, >> >> I used PF and dummynet together about two years and worked fine. >> Recently i have upgraded the system 7.2 to 8.2 and dummynet doesn't >> work anymore. >> If any packet belong the client IP puts any pipe, it drops and pflog >> says it blocked by last pf rule. But it match previous rule. >> If i disable (flush) the ipfw rules, packets pass normally. >> >> Does anybody have same experience? > > You have to make sure ipfw module is loaded first otherwise you will hit = pf > states twice which will drop as you see. > >> >> http://forums.freebsd.org/showthread.php?t=3D24947 >> >> Thanks. >> >> Murat >> >> >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > > > > -- > Ermal > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > --=20 Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPBZQG1_Go5T9rjKw=xMv4z2%2BX2Zx4w1DdgYCzdoWqMFyCR=Dg>