Dear contributors and PF users,
I have recently bumped into serious trouble after upgrading one of the
firewalls to 14.0-STABLE. On previously running 13.3-STABLE it was
utilized special setup where IPFW with dummynet was shaping traffic and
PF was a real firewall. Since it was rather complex firewall with
hundreds of rules, many anchors and packet tagging, finding the breakage
took some time. I know it was never recommended to use both: IPFW and PF
simultaneously, but it worked flawlessly, IIRC from FreeBSD 10.0 times.
So finally it came out that using IPFW with dummynet for shaping was the
culprit of the breakage. I transitioned to new dnpipe PF syntax then, by
adding one line to pf.conf:
match out on $int_if_1 proto tcp from any to <Virt-PCs> tagged VIRTPC
dnpipe (17, 18)
then enabling and configuring dnctl:
sysrc dnctl_enable=YES
cat << EOF > /etc/dnct.conf
pipe 17 config bw 70Mbits/s buckets 512 mask dst-ip 0x0001ffff
pipe 18 config bw 100Mbits/s buckets 512 mask src-ip 0x0001ffff
EOF
FWIW: when the problem was identified, the transition was rather
straightforward and easy, pipes work flawlessly and respect tagging. The
only drawback I noticed is that "burst" keyword was rejected when
configuring the pipes.
Cheers
--
Marek Zarychta
