Date: Tue, 24 May 2005 23:46:10 -0500 From: Bill Marquette <bill.marquette@gmail.com> To: freebsd-pf@freebsd.org Subject: ALTQ last match queing? Message-ID: <55e8a96c05052421465b2ae125@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi, I'm trying to have pf do what's essentially a queue assignment in one rule and a final pass/keep state in second rule. The man page for FreeBSD 6 (and OpenBSD 3.7) reads like it should work the same as tags. The rule a packet hits that has a queue is the last queue the packet gets. "During the filtering component of pf.conf, the last referenced queue name is where any packets from pass rules will be queued". To me this reads that the following rule set will assign an outbound SSH to the qHighUp and qHighDown queues (depending on which interface it traverses) In reality it doesn't work (and I sorta understand why - I guess after reading the man page it read like it worked like tags) altq on { dc0, dc1 } cbq bandwidth 200Mb queue { q_up, q_down, lan2lan } queue q_up priority 7 bandwidth 384Kb cbq { qHighUp, qHatedUp } queue q_down priority 7 bandwidth 384Kb cbq { qHighDown, qHatedDown } queue lan2lan priority 1 bandwidth 190Mb cbq (default) { qdefault } queue qHighUp priority 5 bandwidth 256Kb cbq( borrow ) queue qHatedUp priority 3 bandwidth 64Kb cbq( red ecn borrow ) queue qHighDown priority 4 bandwidth 256Kb cbq ( red ecn borrow ) queue qHatedDown priority 2 bandwidth 64Kb cbq ( red ecn borrow ) queue qdefault priority 0 cbq ( red ecn ) pass in on dc0 proto tcp from any to any port =3D 22 flags S/SA keep state queue qHighPriDown pass out on dc1 proto tcp from any to any port =3D 22 flags S/SA keep state queue qHighPriUp block in all pass in quick on dc0 proto tcp from any to any port =3D 22 flags S/SA keep = state pass out quick on dc1 proto tcp from any to any port =3D 22 flags S/SA keep= state In the above rule set the ssh hits the lan2lan queue - not intended.=20 If I use quicks on the first two ssh rules the traffic does indeed hit the right queue, but this won't work for what I'm trying to do (split rule management between traffic shaping and security policy). The following does work, but will give me some interesting design challenges (such as creating a filter rules with tag/queue mismatches :)) pass in on dc0 proto tcp from any to any port =3D ssh flags S/SA keep state tag sshdown pass out on dc1 proto tcp from any to any port =3D ssh flags S/SA keep state tag sshup block all pass in quick on dc0 proto tcp from any to any port =3D ssh flags S/SA keep state queue qHighDown tagged sshdown pass out quick on dc1 proto tcp from any to any port =3D ssh flags S/SA keep state queue qHighUp tagged sshup Any thoughts? I haven't looked at code, so I'm not sure how the queue persists (or doesn't) with a packet. Thanks --Bill
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55e8a96c05052421465b2ae125>