Mac OS X introduced a new keyword “dummynet-anchor” in pf.conf file, which not used in FreeBSD and OpenBSD. The ipfw was removed in Mac OS X 10.10, How to use “dummynet-anchor”?
UPDATE: What portion of ruleset will execute by "dummynet-anchor"?
Asked
Active
Viewed 2,268 times
1 Answers
0
Here is what I have found out so far about that topic:
You setup your dummynet configuration using the command line tool dnctl for details. Check out man dnctl. This tool allows you to configure pipes and queues. Every pipe/queue has a numeric name, as well as a set of properties (e.g. a bandwidth, a delay, a packet drop rate, etc.)
Example from the man page:
dnctl pipe 1 config bw 14Kbit/s queue 10Kbytes
This creates a pipe named 1 with a maximum bandwidth of 14 kbps and a backlog buffer of 10 KB (or maybe 10 KiB, the page is not clear about that).
Now you only need a way to tell the system what network packets must go through that pipe and this is done using pf:
dummynet in all pipe 1
This will redirect all incoming traffic to the pipe named 1.
Even though nowhere documented, the -s option of pfctl also knows a dummynet parameter. E.g. to see the dummynet entries that the Network Link Conditioner (ncl) from Apple's Dev Tools is setting, just run:
sudo pfctl -a com.apple.nlc/base -s dummynet
Here's a sample output:
no dummynet quick on lo0 all
dummynet in quick inet all allow-opts pipe 40269
dummynet in quick inet6 all allow-opts pipe 40269
dummynet out quick inet all allow-opts pipe 40270
dummynet out quick inet6 all allow-opts pipe 40270
Now let's look up what pipes it has configured:
40269: 1.000 Mbit/s 500 ms 50 sl.plr 0.100000 1 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
40270: 1.000 Mbit/s 500 ms 50 sl.plr 0.100000 1 queues (1 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
This matches exactly what I've configured:
Okay, what is a dummynet-anchor? Well, I think it's just an anchor but one for dummynet rules, similar like there are nat-anchors for NAT (Network Address Translation) rules. Running:
sudo pfctl -sa
I get this output:
TRANSLATION RULES:
nat-anchor "com.apple/*" all
rdr-anchor "com.apple/*" all
FILTER RULES:
scrub-anchor "com.apple/*" all fragment reassemble
anchor "com.apple/*" all
DUMMYNET RULES:
dummynet-anchor "com.apple/*" all
So you see there are different kind of anchors belonging to different rule sections. From where these rules are actually loaded is still a mystery for me. There is a directory /etc/pf.anchors on macOS but this one only contains a single file com.apple and this file only refers to more anchors:
#
# AirDrop anchor point.
#
anchor "200.AirDrop/*"
#
# Application Firewall anchor point.
#
anchor "250.ApplicationFirewall/*"
A search for 250.ApplicationFirewall doesn't find any files or folders with that name on my system.
So I'm sorry, this is not really an answer to your question, I really don't know the answer either. Yet this question is over 3 years old and nobody has answered it at all, so I thought I share my findings here and maybe someone can pick up on it and gain some new insights that way.
Mecki
- 1,218