Re: in_cksum: out of data

[Tom Ivar Helbekkmo <tih%hamartun.priv.no@localhost>]

Tom Ivar Helbekkmo <tih%hamartun.priv.no@localhost> writes:

> Thanks, Christos!  Then I'll be converting from pf to npf+altqd over the
> weekend, I suppose.  Hmpf!  It's been only, what?, a few years? since I
> converted from ipfilter to pf!  ;)

Well, that was quick and easy!

I've now gone from pf to npf+altqd, and the transition was very simple
and straightforward.  More importantly, the resulting npf.conf is so
much more readable: the grouping of rules by interfaces really helps.
Even more importantly: IPv6 now works properly, since it's not dropping
fragments, and my gateway system has stopped complaining about not being
able to send UPD packets because of a shortage of mbufs!

A big "thank you" to rmind!

Of course, I lost a bit of functionality by not having the ALTQ rules
integrated into the firewall configuration, but since I was really just
tuning my ISP uplink to stop congestion and ensure responsiveness for
interactive traffic, it wasn't so hard to write a proper altq.conf.

So far, I have just one improvement suggestion for npf: the ability to
use sets instead of singletons in rules is great, but needs to be
extended to letting sets of addresses and networks cross address
families.  I'd like to be able to do this:

$myhost = { 193.71.27.7, 2001:8c0:c904:10::7 }
$myservices = { https, smtp }
pass in proto tcp to $myhost port $myservices

Instead, I have to say:

$myhost_v4 = 193.71.27.7
$myhost_v6 = 2001:8c0:c904:10::7
$myservices = { https, smtp }
pass in proto tcp to $myhost_v4 port $myservices
pass in proto tcp to $myhost_v6 port $myservices

-tih
-- 
I like long walks, especially when they are taken by people who annoy me.