From owner-freebsd-ipfw@freebsd.org  Thu Jul 30 18:25:53 2015
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0CAC99AB185
 for <freebsd-ipfw@mailman.ysv.freebsd.org>;
 Thu, 30 Jul 2015 18:25:53 +0000 (UTC)
 (envelope-from hiren@FreeBSD.org)
Received: from mail.strugglingcoder.info (strugglingcoder.info [65.19.130.35])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id E00D711E2
 for <freebsd-ipfw@freebsd.org>; Thu, 30 Jul 2015 18:25:52 +0000 (UTC)
 (envelope-from hiren@FreeBSD.org)
Received: from localhost (unknown [10.1.1.3])
 (Authenticated sender: hiren@strugglingcoder.info)
 by mail.strugglingcoder.info (Postfix) with ESMTPSA id D544FD0522;
 Thu, 30 Jul 2015 11:25:51 -0700 (PDT)
Date: Thu, 30 Jul 2015 11:25:51 -0700
From: hiren panchasara <hiren@FreeBSD.org>
To: Ian Smith <smithi@nimnet.asn.au>
Cc: freebsd-ipfw@freebsd.org
Subject: Re: Traffic not going through dummynet
Message-ID: <20150730182551.GF39365@strugglingcoder.info>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="eVzOFob/8UvintSX"
Content-Disposition: inline
In-Reply-To: <20150726181056.C17327@sola.nimnet.asn.au>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2015 18:25:53 -0000


--eVzOFob/8UvintSX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

(For various reason's I didn't get/see Ian's message. Trying to do the
right thing by setting "In-Reply-To".)

On 07/27/15 at 01:07P, Ian Smith wrote:
> On Sun, 19 Jul 2015 21:05:53 -0700, hiren panchasara wrote:
>  > Bah.
>  >=20
>  > So I removed ipfw and dummynet from kernconf and loaded them manually
>  > after machine came up and it worked as expected.
>=20
> In your previous post, you'd said you were using 11-current, and:
>=20
>  > And GENERIC has:
>  > options         IPFIREWALL
>  > options         DUMMYNET
>  > options         HZ=3D1000
>=20
> Are you sure this was a 11 GENERIC kernconf?  Those options haven't=20
> been in GENERIC for ages (if ever?), though they haven't needed to be=20
> since (perhaps) 8.0.  I guess people just follow the handbook :(

I modified GENERIC and added those options. I should have been more
clear here.
>=20
>  > Looks like some ordering issue between ipfw and dummynet. Fwiw, for
>  > working setup, kldstat shows:
>  >=20
>  > 13    2 0xffffffff81e21000 21490    ipfw.ko
>  > 14    1 0xffffffff81e43000 d0f6     dummynet.ko
>=20
> Indeed.  If you load ipfw and dummynet by the usual means, being=20
> firewall_enable=3DYES and dummynet_enable=3DYES in rc.conf, you'll notice=
=20
> that /etc/rc.d/ipfw, in ipfw_prestart, loads dummynet if enabled, and=20
> natd and/or firewall_nat if enabled, in that order.
>=20
> The downside to doing that is that you have to have specified a type for=
=20
> rc.firewall or pointed to a custom ruleset so it's sane on startup.

Didn't know the usual mean of rc.conf modifications.
>=20
> Regarding the related(?) Bug 201488 - dummynet appears broken in=20
> 10.0-RELEASE and onwards (can't traffic shape on bridges)
>  https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D201488
> it does seem likely to be the same issue as you noted.
>=20
> Did you ever hear back from James Rice (for whom I seem to have seen no=
=20
> other messages for an email address) as to whether your advice about=20
> loading these in the other order helped there?

I haven't heard back yet.
>=20
> As to whether this is a regression, or it would have ever worked loading=
=20
> dummynet and then ipfw, I don't know, but I have a vague feeling that=20
> I've seen other issues regarding loading a module that's already in=20
> kernel in recent times .. sorry I can't be any more exact.

Yeah, good point about whether this is a regression or not. I am not
aware of any such loading issues wrt modules.
>=20
> Maybe dummynet needs a check that ipfw is loaded before starting?

That'd be logical, imo.

Cheers,
Hiren

--eVzOFob/8UvintSX
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iQF8BAEBCgBmBQJVumwuXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNEUyMEZBMUQ4Nzg4RjNGMTdFNjZGMDI4
QjkyNTBFMTU2M0VERkU1AAoJEIuSUOFWPt/lIKMH/AhnqfbqlQm3viX/wQC7p4iS
mZbmxU8OFLm/AXDT0P7tnaw/hsvPeJ0Dcxum45FxE8+/R7Zj0u0qTVytoHdO9/6Y
WiL7WxJi9lxVQoThx5yvRm0sLBHnFpJz8P8tkNIEwjyxzRSw9LuJdtLmnaVlCtrd
ZV80nq99lgqYix/E86D/61McugjRfycxJBr4XEdxngLpAHa0RRYDjEOMH2LdvZzh
ysru6q6yYGUeLMeFjxFKsbrffFRf5RpEBKKZYtmKSGWhjGvsUO1EvSeXBgJNsLuP
0EoY3Z5Id1vNDNZJ0/tlsbv8sUliwSuxYint2/374JeRPhVCUI0kRV+f7Dyu4+8=
=dvEU
-----END PGP SIGNATURE-----

--eVzOFob/8UvintSX--