From owner-freebsd-stable@freebsd.org Fri Dec 18 11:58:18 2015 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6DE4DA4B040 for ; Fri, 18 Dec 2015 11:58:18 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BE3A615D1; Fri, 18 Dec 2015 11:58:17 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id tBIBw4Eq010062; Fri, 18 Dec 2015 22:58:05 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 18 Dec 2015 22:58:04 +1100 (EST) From: Ian Smith To: "Kenneth D. Merry" cc: Mike Tancsa , FreeBSD-STABLE Mailing List Subject: Re: traffic shaping on RELENG_10 ? In-Reply-To: <20151217192433.GA12383@mithlond.kdm.org> Message-ID: <20151218222536.T8562@sola.nimnet.asn.au> References: <5671C78A.4030807@sentex.net> <20151217192433.GA12383@mithlond.kdm.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2015 11:58:18 -0000 On Thu, 17 Dec 2015 14:24:34 -0500, Kenneth D. Merry wrote: > On Wed, Dec 16, 2015 at 15:20:26 -0500, Mike Tancsa wrote: > > I need to do some simple traffic shaping, but whenever I try and use > > altq, I dont seem to have any luck-- I mean zero. > > It took me a while to get ALTQ working. More below.. > > > I like the management of pf via pf.conf, but miss the simplicity of > > dummynet and ipfw. Has anyone used pf and ipfw together in RELENG10 ? > > Any tips / caveats ? Or am I better off re-writing the pf rules into > > ipfw and be done with it. > > I'm using ipfw for firewall and in-kernel NAT, and ALTQ (configured via pf) > for traffic shaping. I also greatly appreciate your post on this, Ken. I've been wondering about doing the opposite, after over 15 years using ipfw and over 12 years using dummynet, ie trying pf but wanting to use dummynet for shaping, as I've always found it advantageous to do shaping inbound as well as outbound, which pf doesn't do, like tc in linux where I'd had to do some real work getting tc to shape inbound by treating it as outbound traffic on the inside interface - which does work fine in a rather internet-cafe environment requiring judicious cat-herding :) Does anyone know if it's possible to use ipfw just for dummynet shaping, using pf rules for filtering, in terms of the ordering of pfil(9) hooks? > One thing that was non-obvious with the in-kernel NAT versus the userland > natd(8) was that you have to set 'sysctl net.inet.ip.fw.one_pass=0'. > Otherwise the rules after the NAT step in the ipfw configuration are > skipped. Also needed when using dummynet - or netgraph, or reass; it's rather too heavily overloaded, and I've always thought its default of 1 to be the opposite of what most people want .. way too late to change it though. > In-kernel NAT: > > ${fwcmd} nat 123 config log if ${oif} same_ports unreg_only > > # This is necessary with the in-kernel NAT to re-inject packets once they've > # gone through the NAT. > sysctl net.inet.ip.fw.one_pass=0 ${fwcmd} disable one_pass # accomplishes the same thing. > ${fwcmd} enable altq cheers, Ian