2011/7/14 Murat SÜRÜCÜ <[email protected]>: > I think the problem is dummynet corrupts PF state information. What can i do > for prevent it?
Its not a corruption but the way pf(4) works. In pfSense its used this patch https://github.com/bsdperimeter/pfsense-tools/blob/master/patches/RELENG_8_1/pfil.RELENG_8.diff to allow reorder pfil consumers especially to avoid this problem. It has not made to FreeBSD yet. With this patch you can reorder pfil consumers based on your needs. It exports the following sysctl for configuration: net.inet.ip.pfil.inbound net.inet.ip.pfil.outbound So after loading pf and ipfw you can configure the order of the pfil consumers as below to avoid the problems you are seeing. /sbin/sysctl net.inet.ip.pfil.inbound="ipfw,pf" /sbin/sysctl net.inet.ip.pfil.outbound="ipfw,pf" Otherwise you will always have the problems you see. The other way as i told you is to be careful when loading the modules or when joining to pfil. > > > Murat > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Murat SÜRÜCÜ > Sent: Tuesday, July 12, 2011 8:55 AM > To: 'Ermal Luçi' > Cc: [email protected] > Subject: RE: FreeBSD 8.2 + pf + ipfw (dummynet) > > Thanks for reply, > IPFW is kernel module, PF is loadable module in my config. > And this config was normally run when version is 7.2. > > > Murat > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of Ermal > Luçi > Sent: Tuesday, July 12, 2011 12:59 AM > To: Murat SÜRÜCÜ > Cc: [email protected] > Subject: Re: FreeBSD 8.2 + pf + ipfw (dummynet) > > 2011/7/11 Murat SÜRÜCÜ <[email protected]>: >> Hello, >> >> I used PF and dummynet together about two years and worked fine. >> Recently i have upgraded the system 7.2 to 8.2 and dummynet doesn't >> work anymore. >> If any packet belong the client IP puts any pipe, it drops and pflog >> says it blocked by last pf rule. But it match previous rule. >> If i disable (flush) the ipfw rules, packets pass normally. >> >> Does anybody have same experience? > > You have to make sure ipfw module is loaded first otherwise you will hit pf > states twice which will drop as you see. > >> >> http://forums.freebsd.org/showthread.php?t=24947 >> >> Thanks. >> >> Murat >> >> >> _______________________________________________ >> [email protected] mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "[email protected]" >> > > > > -- > Ermal > > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "[email protected]" > > -- Ermal _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
