Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 18 Dec 2015 22:58:04 +1100 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        "Kenneth D. Merry" <ken@freebsd.org>
Cc:        Mike Tancsa <mike@sentex.net>, FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>
Subject:   Re: traffic shaping on RELENG_10 ?
Message-ID:  <20151218222536.T8562@sola.nimnet.asn.au>
In-Reply-To: <20151217192433.GA12383@mithlond.kdm.org>
References:  <5671C78A.4030807@sentex.net> <20151217192433.GA12383@mithlond.kdm.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 17 Dec 2015 14:24:34 -0500, Kenneth D. Merry wrote:
 > On Wed, Dec 16, 2015 at 15:20:26 -0500, Mike Tancsa wrote:
 > > I need to do some simple traffic shaping, but whenever I try and use
 > > altq, I dont seem to have any luck-- I mean zero.
 > 
 > It took me a while to get ALTQ working.  More below..
 > 
 > >  I like the management of pf via pf.conf, but miss the simplicity of
 > > dummynet and ipfw.  Has anyone used pf and ipfw together in RELENG10 ?
 > > Any tips / caveats ? Or am I better off re-writing the pf rules into
 > > ipfw and be done with it.
 > 
 > I'm using ipfw for firewall and in-kernel NAT, and ALTQ (configured via pf)
 > for traffic shaping.

I also greatly appreciate your post on this, Ken.

I've been wondering about doing the opposite, after over 15 years using 
ipfw and over 12 years using dummynet, ie trying pf but wanting to use 
dummynet for shaping, as I've always found it advantageous to do shaping 
inbound as well as outbound, which pf doesn't do, like tc in linux where 
I'd had to do some real work getting tc to shape inbound by treating it 
as outbound traffic on the inside interface - which does work fine in a 
rather internet-cafe environment requiring judicious cat-herding :)

Does anyone know if it's possible to use ipfw just for dummynet shaping, 
using pf rules for filtering, in terms of the ordering of pfil(9) hooks?

 > One thing that was non-obvious with the in-kernel NAT versus the userland
 > natd(8) was that you have to set 'sysctl net.inet.ip.fw.one_pass=0'.
 > Otherwise the rules after the NAT step in the ipfw configuration are
 > skipped.

Also needed when using dummynet - or netgraph, or reass; it's rather too
heavily overloaded, and I've always thought its default of 1 to be the 
opposite of what most people want .. way too late to change it though.

 > In-kernel NAT:
 > 
 > ${fwcmd} nat 123 config log if ${oif} same_ports unreg_only
 > 
 > # This is necessary with the in-kernel NAT to re-inject packets once they've
 > # gone through the NAT.
 > sysctl net.inet.ip.fw.one_pass=0

   ${fwcmd} disable one_pass	# accomplishes the same thing.

 > ${fwcmd} enable altq

cheers, Ian



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151218222536.T8562>