From owner-freebsd-net@FreeBSD.ORG Fri May 13 15:30:11 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39F2D16A4CE for ; Fri, 13 May 2005 15:30:11 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6985843D31 for ; Fri, 13 May 2005 15:30:10 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 78044 invoked from network); 13 May 2005 15:28:00 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 13 May 2005 15:28:00 -0000 Message-ID: <4284C804.ABC0C314@freebsd.org> Date: Fri, 13 May 2005 17:30:12 +0200 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Jeremie Le Hen References: <20050513100606.GE667@obiwan.tataz.chchile.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-net@FreeBSD.org Subject: Re: Dummynet/ipnat interaction breakage X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2005 15:30:11 -0000 Jeremie Le Hen wrote: > > On Wed, Feb 02, 2005 at 12:05:11PM +0100, Jeremie Le Hen wrote: > > > Take a look at PRs 61685 and 76539. Hope that helps. > > > > Well, I was aware of the first one (I'm doing shaping on my internal > > interface as a workaround), but not the second one. The second one > > is very new and this could indeed be the same problem I encountered. > > > > It seems that the import of IPFilter 3.4.35 in the middle of 2004 is > > the source of the problem because when I switch back to 3.4.31 on > > 4.11, everything works. > > > > I Cc'ed andre@ since he had not took over 76539, maybe he's not aware > > of it. > > > > Andre, what can you tell us about the drawbacks of the proposed patches ? > > I think there must be some as they would have been merged if this was > > not the case. > > > > Are there any change to have this fixed in RELENG_4 ? I know that no > > more releases are scheduled in this branch, but there is no obvious > > reason to let a bug live there IMHO. > > 4.1 is still broken. I understand that RELENG_4 is at end of its life > but ipnat/dummynet interaction further breakage between 4.10 and 4.11 > (due to IPFilter 3.4.35 import) is, IMHO, not acceptable for FreeBSD, > especially RELENG_4 which is a must in term of stability and release > engineering. My workaround was to go back to RELENG_4_10 branch in > src/sys/contrib/ipfilter. > > Given that *there are* patches in these PR, although we should admit > these are not examples of long term solution, is there any chance to > get this commited into RELENG_4 to assist this old good branch until > its funeral ? The problem is not to break something while 'fixing' this problem. I haven't looked at the proposed patch but not the entire code path in either 4.11 or 5.4. However it seems very likely to me that this 'fix' breaks ipfw one_pass/multi_pass. In ipfw/dummynet you may want packets coming from dummynet to continue with the next ipfw rule. Unconditionally setting M_SKIP_FIREWALL is going to break it. -- Andre