[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Matchstick <matchstick at oofg dot com>
 Cc:  Manuel Kasper <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Beta 1.2b5 Firewall/Traffic Shaper problem
 Date:  Fri, 25 Feb 2005 22:24:49 +0100 
On 23.02.2005 00:19 +0000, Matchstick wrote:

> I'm running using filtered bridging on a WRAP board and it appears
> that if I turn Traffic Shaping on (irrepective of whether any rules,
> queues or pipes have been set up) then the inbound firewall rules
> that I've set up on the WAN interface are ignored.

I've spent time to track down this problem as well, and as a result I
filed a FreeBSD PR:

<http://www.freebsd.org/cgi/query-pr.cgi?pr=78090>

(now if I knew that the web PR frontend didn't wrap lines at all...)

This is caused by a sloppiness introduced with the migration to
pfil_hooks - when IPFW is loaded, pfil hooks are simply skipped for
bridged packets (as a braindead solution to keep IPFW from running
twice on the same packet).

The idea of how to fix this is simple, but the implementation may not
be (which is probably why they went with this cheap, broken
workaround anyway). Any kernel hackers out there who want to give
this a stab?

The best I've been able to come up with so far is to change the
conditional that only checks whether IPFW is loaded to also check
whether bridge.ipfw is actually set (and then not set bridge.ipfw in
shaper.inc anymore). But that would mean that bridged packets could
no longer be traffic shaped. Or at least the filtering bridge and
traffic shaping would be mutually exclusive.

- Manuel