Date: Thu, 04 Oct 2007 23:37:04 +0100 From: Tom Judge <tom@tomjudge.com> To: Umar <unix.co@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: altq within anchor Message-ID: <47056B10.5040700@tomjudge.com> In-Reply-To: <47054F99.5090001@tomjudge.com> References: <13046989.post@talk.nabble.com> <47054F99.5090001@tomjudge.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tom Judge wrote:
> Umar wrote:
>> Dear members!
>>
>> I want to include altq anchor within my pf.conf but i got error.
>>
>> here is the altqrule file /home/anchor-altq
>>
>> altq on fxp0 bandwidth 100Mb cbq queue { default, ip4, ip5, ip6, ip7 }
>> queue default bandwidth 90Mb cbq (default)
>> queue ip bandwidth 90Kb
>> queue ip5 bandwidth 90Kb
>> queue ip6 bandwidth 90Kb
>> queue ip7 bandwidth 90Kb
>> anchor altqrules
>>
>> here is my /etc/pf.conf file
>> <-------snip-------->
>>
>> int_if = "fxp0"
>> ext_if = "rl0"
>> lan_net = "192.168.1.0/24"
>>
>> # Options: tune the behavior of pf, default values are given.
>> set timeout { interval 10, frag 30 }
>> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
>> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
>> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
>> set timeout { icmp.first 20, icmp.error 10 }
>> set timeout { other.first 60, other.single 30, other.multiple 60 }
>> set timeout { adaptive.start 0, adaptive.end 0 }
>> set limit { states 10000, frags 5000 }
>>
>> set loginterface none
>> set optimization normal
>> set block-policy drop
>> set require-order yes
>> set fingerprints "/etc/pf.os"
>>
>> # Normalization: reassemble fragments and resolve or reduce traffic
>> ambiguities.
>> scrub in all
>>
>> # Bandwidth Shapping
>> anchor altqrules
>> load anchor altqrules from "/home/anchor-altq"
>>
>> # Translation: specify how addresses are to be mapped or redirected.
>> nat on $ext_if from { $lan_net } to any -> ($ext_if)
>>
>> pass in quick on lo0 all
>> pass in quick on $int_if from $lan_net to any keep state
>> pass out on $int_if from any to any keep state
>> pass out on $ext_if from any to any keep state
>>
>> # default deny
>> block in log on $ext_if
>>
>> <-------snip-------->
>>
>> but when i reload my pf i got the error
>>
>> Reloading pf rules.
>> /etc/pf.conf:36: Rules must be in order: options, normalization,
>> queueing,
>> translation, filtering
>> /etc/pf.conf:37: Rules must be in order: options, normalization,
>> queueing,
>> translation, filtering
>> /etc/pf.conf:38: Rules must be in order: options, normalization,
>> queueing,
>> translation, filtering
>> /etc/pf.conf:39: Rules must be in order: options, normalization,
>> queueing,
>> translation, filtering
>>
>>
>> Please help what should i do?
>>
>> Regards,
>>
>> Umar Draz
> Hi,
>
> As the above messages state the rules must be present in the rules file
> in a fixed order:
>
> 1) Options
>
> 2) Normalization
>
> 3) Queueing (Aka ALTQ)
>
> 4) Translation (Aka NAT)
>
> 5) Filtering
>
> Quote from pf.conf(5):
> <quote>
> With the exception of macros and tables, the types of statements should
> be grouped and appear in pf.conf in the order shown above, as this
> matches the operation of the underlying packet filtering engine. By
> default pfctl(8) enforces this order (see set require-order below).
> </quote>
>
> And again from pf.conf(5)
> <quote>
> set require-order
> By default pfctl(8) enforces an ordering of the statement types in
> the ruleset to: options, normalization, queueing, translation,
> filtering. Setting this option to no disables this enforcement. There
> may be non-trivial and non-obvious implications to an out of order
> ruleset. Consider carefully before disabling the order enforcement.
> </quote>
>
>
> Tom
Further to my original reply, having realised I have not given a
complete answer, there are four types of anchor available in PF
nat-anchor - Holds nat rules
rdr-anchor - Holds rdr rules
binat-anchor - Holes binat riles
anchor - Holds filter rules
And referring to my last post from this it can be seen that by using a
standard filter anchor you start the filter section of the configuration
which in turn violates the rule ordering rules.
Tom
PS: All of the above information was taken from the pf.conf man page.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47056B10.5040700>