From owner-freebsd-pf@FreeBSD.ORG Sun Oct 16 15:59:51 2005 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7787316A41F; Sun, 16 Oct 2005 15:59:51 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (cell.sick.ru [217.72.144.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id C051743D49; Sun, 16 Oct 2005 15:59:50 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.3/8.13.3) with ESMTP id j9GFxlqd047414 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 16 Oct 2005 19:59:48 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.3/8.13.1/Submit) id j9GFxgll047413; Sun, 16 Oct 2005 19:59:42 +0400 (MSD) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Sun, 16 Oct 2005 19:59:42 +0400 From: Gleb Smirnoff To: Max Laier Message-ID: <20051016155942.GG14542@cell.sick.ru> References: <20051015142431.GC14542@cell.sick.ru> <200510151639.51156.max@love2party.net> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <200510151639.51156.max@love2party.net> User-Agent: Mutt/1.5.6i Cc: Brian Fundakowski Feldman , freebsd-pf@FreeBSD.org Subject: Re: ALTQ and PPP access concentrator X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2005 15:59:51 -0000 On Sat, Oct 15, 2005 at 04:39:37PM +0200, Max Laier wrote: M> I agree that ALTQ configuration (esp for big setups) has some limitations and M> gotchas as is. I'd like to take the opportunity to start a discussion about M> what features are required to make it more useable. It is certainly M> interesting to look at decoupling /dev/pf and altq configuration. The end M> result would be a (in-kernel) lookup service that allows pf (or any other M> end-user of ALTQ) to lookup QIDs by interface:qname. In order to keep things M> in sync I am thinking of a eventhandler of some kind. M> M> This would allow us to keep the inlined configuration as it happens right now Yes, I agree. Some work is needed here. Except the already described obstacles, we also have dangling pointers after the interfaces had been removed: pfctl -Af /etc/altq /usr/local/etc/rc.d/mpd4.sh restart [ this creates new ifnet instances, and destroys old ones] pfctl -Af /etc/altq boom! #5 0xc06fe33a in calltrap () at /usr/src/sys/i386/i386/exception.s:139 #6 0xc05c1b91 in turnstile_setowner (ts=0xc1867dc0, owner=0x2839ea60) at /usr/src/sys/kern/subr_turnstile.c:417 #7 0xc05c1e94 in turnstile_wait (lock=0xc1cba10c, owner=0x2839ea60) at /usr/src/sys/kern/subr_turnstile.c:576 #8 0xc0598968 in _mtx_lock_sleep (m=0xc1cba10c, tid=0xc1c544e0, opts=0x0, file=0x0, line=0x0) at /usr/src/sys/kern/kern_mutex.c:553 #9 0xc045fe0e in priq_class_destroy (cl=0xc1bb6dc0) at /usr/src/sys/contrib/altq/altq/altq_priq.c:416 #10 0xc045fa7a in priq_clear_interface (pif=0xc1c45400) at /usr/src/sys/contrib/altq/altq/altq_priq.c:252 #11 0xc045f910 in priq_remove_altq (a=0xc1867dc0) at /usr/src/sys/contrib/altq/altq/altq_priq.c:161 #12 0xc0463290 in altq_remove (a=0xc1867dc0) at /usr/src/sys/contrib/altq/altq/altq_subr.c:647 #13 0xc048d72e in pf_commit_altq (ticket=0xc1c54500) at /usr/src/sys/contrib/pf/net/pf_ioctl.c:1116 #14 0xc04910e7 in pfioctl (dev=0xc1711400, cmd=0x4, addr=0x0, flags=0x3, td=0xc1c54500) M> (just a little rewriting in pfctl), but enable easy changes for interfaces M> coming late. mpd would just trigger necessary altq-configuration from its M> UP-script. Actually I am dreaming to implement a RADIUS bandwidth management for mpd. In this case ALTQ configuration needs to be changed when the user logs in, for the interface he came. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-pf@FreeBSD.ORG Sun Oct 16 18:06:42 2005 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8739616A41F; Sun, 16 Oct 2005 18:06:42 +0000 (GMT) (envelope-from brunomiguel@dequim.ist.utl.pt) Received: from gecea.ist.utl.pt (gecea.ist.utl.pt [193.136.140.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2007043D46; Sun, 16 Oct 2005 18:06:40 +0000 (GMT) (envelope-from brunomiguel@dequim.ist.utl.pt) Received: from [192.168.1.102] (c-65-96-173-63.hsd1.ma.comcast.net [65.96.173.63]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gecea.ist.utl.pt (Postfix) with ESMTP id 1F2EB4089; Sun, 16 Oct 2005 19:06:36 +0100 (WEST) Message-ID: <435296B4.50006@dequim.ist.utl.pt> Date: Sun, 16 Oct 2005 14:06:44 -0400 From: Bruno Afonso User-Agent: Thunderbird 1.4 (Windows/20050908) MIME-Version: 1.0 To: Gleb Smirnoff References: <20051015142431.GC14542@cell.sick.ru> <200510151639.51156.max@love2party.net> <20051016155942.GG14542@cell.sick.ru> In-Reply-To: <20051016155942.GG14542@cell.sick.ru> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@FreeBSD.org, Brian Fundakowski Feldman Subject: Re: ALTQ and PPP access concentrator X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2005 18:06:42 -0000 Hi everyone, I've been recently "invited" (I mean, I was the only guy they knew that had fbsd experience :> ) to setup a pppoe server for a 20+ user base of wifi users. basically, we're using pppoe server from freebsd and a radius server for user authentication. there's a document explaining how to do this using ipfw and this uses ppp.linkup and ppp.linkdown to invoke scripts. Things get harder with pf + altq (I'm using cbq on tunX interfaces and hfsc on outgoing - read upload - interface). The way I've set it up was to create a script that reads a file that has listed all users on each interface and it generates the pf.conf. This was the only way I found to generate altq setup lines for each tunX interface. In a perfect world, one would do: altq on tun* ... This could for example be the DEFAULT altq setup instead a user would explicitly use altq on tun0 .. Having said this, it wouldn't help my setup too much since we have 3 to 4 classes of users and each has different bw priviledges so we always need to have a script... :-) best bruno Gleb Smirnoff wrote: > On Sat, Oct 15, 2005 at 04:39:37PM +0200, Max Laier wrote: > M> I agree that ALTQ configuration (esp for big setups) has some limitations and > M> gotchas as is. I'd like to take the opportunity to start a discussion about > M> what features are required to make it more useable. It is certainly > M> interesting to look at decoupling /dev/pf and altq configuration. The end > M> result would be a (in-kernel) lookup service that allows pf (or any other > M> end-user of ALTQ) to lookup QIDs by interface:qname. In order to keep things > M> in sync I am thinking of a eventhandler of some kind. > M> > M> This would allow us to keep the inlined configuration as it happens right now > > Yes, I agree. Some work is needed here. Except the already described > obstacles, we also have dangling pointers after the interfaces had been > removed: > > pfctl -Af /etc/altq > /usr/local/etc/rc.d/mpd4.sh restart > [ this creates new ifnet instances, and destroys old ones] > pfctl -Af /etc/altq > boom! > > #5 0xc06fe33a in calltrap () at /usr/src/sys/i386/i386/exception.s:139 > #6 0xc05c1b91 in turnstile_setowner (ts=0xc1867dc0, owner=0x2839ea60) at /usr/src/sys/kern/subr_turnstile.c:417 > #7 0xc05c1e94 in turnstile_wait (lock=0xc1cba10c, owner=0x2839ea60) at /usr/src/sys/kern/subr_turnstile.c:576 > #8 0xc0598968 in _mtx_lock_sleep (m=0xc1cba10c, tid=0xc1c544e0, opts=0x0, file=0x0, line=0x0) > at /usr/src/sys/kern/kern_mutex.c:553 > #9 0xc045fe0e in priq_class_destroy (cl=0xc1bb6dc0) at /usr/src/sys/contrib/altq/altq/altq_priq.c:416 > #10 0xc045fa7a in priq_clear_interface (pif=0xc1c45400) at /usr/src/sys/contrib/altq/altq/altq_priq.c:252 > #11 0xc045f910 in priq_remove_altq (a=0xc1867dc0) at /usr/src/sys/contrib/altq/altq/altq_priq.c:161 > #12 0xc0463290 in altq_remove (a=0xc1867dc0) at /usr/src/sys/contrib/altq/altq/altq_subr.c:647 > #13 0xc048d72e in pf_commit_altq (ticket=0xc1c54500) at /usr/src/sys/contrib/pf/net/pf_ioctl.c:1116 > #14 0xc04910e7 in pfioctl (dev=0xc1711400, cmd=0x4, addr=0x0, flags=0x3, td=0xc1c54500) > > M> (just a little rewriting in pfctl), but enable easy changes for interfaces > M> coming late. mpd would just trigger necessary altq-configuration from its > M> UP-script. > > Actually I am dreaming to implement a RADIUS bandwidth management for > mpd. In this case ALTQ configuration needs to be changed when the user > logs in, for the interface he came. > -- Bruno Afonso, Biological Engineer Dana-Farber Cancer Institute 1 Jimmy Fund Way Smith Building Boston, MA 02115 GABBA Graduate Student (http://gabba.up.pt) Homepage @ http://brunoafonso.net/ From owner-freebsd-pf@FreeBSD.ORG Sun Oct 16 19:35:25 2005 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A07216A41F; Sun, 16 Oct 2005 19:35:25 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (cell.sick.ru [217.72.144.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D58243D49; Sun, 16 Oct 2005 19:35:24 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.3/8.13.3) with ESMTP id j9GJZJug048643 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 16 Oct 2005 23:35:19 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.3/8.13.1/Submit) id j9GJZIEa048642; Sun, 16 Oct 2005 23:35:18 +0400 (MSD) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Sun, 16 Oct 2005 23:35:18 +0400 From: Gleb Smirnoff To: Bruno Afonso Message-ID: <20051016193518.GH14542@cell.sick.ru> References: <20051015142431.GC14542@cell.sick.ru> <200510151639.51156.max@love2party.net> <20051016155942.GG14542@cell.sick.ru> <435296B4.50006@dequim.ist.utl.pt> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <435296B4.50006@dequim.ist.utl.pt> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@FreeBSD.org, Brian Fundakowski Feldman Subject: Re: ALTQ and PPP access concentrator X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2005 19:35:25 -0000 Bruno, On Sun, Oct 16, 2005 at 02:06:44PM -0400, Bruno Afonso wrote: B> I've been recently "invited" (I mean, I was the only guy they knew that B> had fbsd experience :> ) to setup a pppoe server for a 20+ user base of B> wifi users. basically, we're using pppoe server from freebsd and a B> radius server for user authentication. B> B> there's a document explaining how to do this using ipfw and this uses B> ppp.linkup and ppp.linkdown to invoke scripts. Things get harder with pf B> + altq (I'm using cbq on tunX interfaces and hfsc on outgoing - read B> upload - interface). The way I've set it up was to create a script that B> reads a file that has listed all users on each interface and it B> generates the pf.conf. This was the only way I found to generate altq B> setup lines for each tunX interface. B> B> In a perfect world, one would do: B> B> altq on tun* ... B> B> This could for example be the DEFAULT altq setup instead a user would B> explicitly use B> B> altq on tun0 .. B> B> B> Having said this, it wouldn't help my setup too much since we have 3 to B> 4 classes of users and each has different bw priviledges so we always B> need to have a script... :-) Ideal solution would be when ALTQ (and probably pf) configuration is not changed in one commit, but altered on per interface basis. This will allow us to change only one users traffic bandwidth configuration, without resetting bandwidth settings on all other interfaces. And this is required if we want to store bandwidth parameters in RADIUS. P.S. Please, don't top quote. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-pf@FreeBSD.ORG Mon Oct 17 11:02:02 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9120716A41F for ; Mon, 17 Oct 2005 11:02:02 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 084DF43D55 for ; Mon, 17 Oct 2005 11:02:02 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j9HB21Ki022447 for ; Mon, 17 Oct 2005 11:02:01 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j9HB217D022441 for freebsd-pf@freebsd.org; Mon, 17 Oct 2005 11:02:01 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 17 Oct 2005 11:02:01 GMT Message-Id: <200510171102.j9HB217D022441@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2005 11:02:02 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/06/15] kern/82271 pf [pf] cbq scheduler cause bad latency o [2005/09/13] i386/86072 pf Packet Filter rule not working properly ( 2 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2005/05/15] conf/81042 pf [patch] /etc/pf.os doesn't match FreeBSD 1 problem total. From owner-freebsd-pf@FreeBSD.ORG Tue Oct 18 04:23:32 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0388716A41F for ; Tue, 18 Oct 2005 04:23:32 +0000 (GMT) (envelope-from solinym@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F6D043D53 for ; Tue, 18 Oct 2005 04:23:31 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by wproxy.gmail.com with SMTP id i5so3541wra for ; Mon, 17 Oct 2005 21:23:31 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=EnDtTS2TpGGE2rmxjh0HPCuPtSVYQfVc78tUr3xph/rE5qu3p3d/nbKQZStLBUUOdrQ/5EyvKfKPsI8IjX7TK4HzjFRFVHnLwnDefXJRPh0LSOaJMDZ4xAracGTpsSwvPZjZs1nB4MVjfRmPlK0KzRtF3U5SzFyC4288j+XLnbU= Received: by 10.54.139.17 with SMTP id m17mr18454wrd; Mon, 17 Oct 2005 21:23:31 -0700 (PDT) Received: by 10.54.81.7 with HTTP; Mon, 17 Oct 2005 21:23:31 -0700 (PDT) Message-ID: Date: Mon, 17 Oct 2005 23:23:31 -0500 From: "Travis H." To: Tyler In-Reply-To: <1129185539.14560.25.camel@Ubuntu.tylercentral.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <1129185539.14560.25.camel@Ubuntu.tylercentral.com> Cc: freebsd-pf@freebsd.org Subject: Re: Per Protocol Traffic Accounting X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2005 04:23:32 -0000 "set loginterface interface Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked. Statistics can only be gathered for one interface at a time. Note that the match, bad-offset, etc., counters and the state table counters are recorded regardless of whether loginterface is set or not. To turn this option off, set it to none. The default is none." Otherwise, couldn't you just use the ifconfig stats? I think there's a package for exporting this via SNMP, which could be queried using ifgraph or rrdtool. -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B From owner-freebsd-pf@FreeBSD.ORG Tue Oct 18 06:59:37 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8B7516A41F for ; Tue, 18 Oct 2005 06:59:37 +0000 (GMT) (envelope-from tyler@tylercentral.com) Received: from pd2mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 50E7A43D4C for ; Tue, 18 Oct 2005 06:59:35 +0000 (GMT) (envelope-from tyler@tylercentral.com) Received: from pd2mr6so.prod.shaw.ca (pd2mr6so-qfe3.prod.shaw.ca [10.0.141.9]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IOJ00635NFA1I90@l-daemon> for freebsd-pf@freebsd.org; Tue, 18 Oct 2005 00:59:34 -0600 (MDT) Received: from pn2ml6so.prod.shaw.ca ([10.0.121.150]) by pd2mr6so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0IOJ0008HNFAX020@pd2mr6so.prod.shaw.ca> for freebsd-pf@freebsd.org; Tue, 18 Oct 2005 00:59:34 -0600 (MDT) Received: from Ubuntu.tylercentral.com (S01060080c86f7208.cg.shawcable.net [70.72.194.29]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0IOJ00G3ZNFA6F@l-daemon> for freebsd-pf@freebsd.org; Tue, 18 Oct 2005 00:59:34 -0600 (MDT) Date: Tue, 18 Oct 2005 00:59:32 -0600 From: Tyler To: freebsd-pf@freebsd.org Message-id: <1129618772.16152.0.camel@Ubuntu.tylercentral.com> MIME-version: 1.0 X-Mailer: Evolution 2.4.1 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: [Fwd: Re: Per Protocol Traffic Accounting] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2005 06:59:37 -0000 Hi Travis, > > Thanks for the reply. However I want to capture data for each > protocol. So, I'd like to have data for HTTP, SMTP, POP3, etc. I've > done this before with ipfilter using the "count" command. (Eg. count > in on de0 from any to any proto http ) > > However PF doesn't have the count command. I've set labels on my ACL > entries, however when a new TCP session is established, the flow stays > with the "IN" rule because I'm keeping state on the connection. So > the IN counters show all the bytes Tx'd and Rx'd, and the OUT rule is > 0 because the flow never hits that rule due to keeping the state. > > (Hmm... confusing?) > > I was hoping someone out there has done per protocol accounting with > PF because I can't figure it out. :( > > I've also looked at ntop from a suggestion earlier in this thread. > However I was hoping to find a solution using just PF. > > Tyler > > On Mon, 2005-10-17 at 23:23 -0500, Travis H. wrote: > > > "set loginterface interface > > > > Sets the interface for which PF should gather statistics such as bytes > > in/out and packets passed/blocked. Statistics can only be gathered for > > one interface at a time. Note that the match, bad-offset, etc., > > counters and the state table counters are recorded regardless of > > whether loginterface is set or not. To turn this option off, set it to > > none. The default is none." > > > > > > Otherwise, couldn't you just use the ifconfig stats? I think there's > > a package for exporting this via SNMP, which could be queried using > > ifgraph or rrdtool. > > -- > > http://www.lightconsulting.com/~travis/ -><- > > "We already have enough fast, insecure systems." -- Schneier & Ferguson > > GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B From owner-freebsd-pf@FreeBSD.ORG Tue Oct 18 08:15:34 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E44516A41F for ; Tue, 18 Oct 2005 08:15:34 +0000 (GMT) (envelope-from sorin@cyberspace.ro) Received: from Woody.cyberspace.ro (woody.fibernet.ro [84.234.96.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70C4F43D45 for ; Tue, 18 Oct 2005 08:15:23 +0000 (GMT) (envelope-from sorin@cyberspace.ro) Received: from localhost (localhost.fibernet.ro [127.0.0.1]) by Woody.cyberspace.ro (Postfix) with ESMTP id 6D314212C67 for ; Tue, 18 Oct 2005 11:10:15 +0300 (EEST) Received: from Woody.cyberspace.ro ([127.0.0.1]) by localhost (localhost.fibernet.ro [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17349-03 for ; Tue, 18 Oct 2005 11:10:13 +0300 (EEST) Received: from whitestar (unknown [84.247.120.121]) by Woody.cyberspace.ro (Postfix) with SMTP id 79569212C61 for ; Tue, 18 Oct 2005 11:10:13 +0300 (EEST) Message-ID: <000c01c5d3bc$29031f30$0100a8c0@whitestar> From: "Sorin Gheorghe" To: Date: Tue, 18 Oct 2005 11:15:54 +0300 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Antivirus: avast! (VPS 0542-0, 10/17/2005), Outbound message X-Antivirus-Status: Clean X-Virus-Scanned: Local scanned at fibernet.ro X-Mailman-Approved-At: Tue, 18 Oct 2005 12:31:04 +0000 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: pf patch X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2005 08:15:34 -0000 Hello, did someone have the pf patch for tunning pf, i heard that pf has 6 = classes and if i can patch the pf to remove some classes, it will become = performant to shappe 10-15 kpps of trafic. --- avast! Antivirus: Outbound message clean. Virus Database (VPS): 0542-0, 10/17/2005 Tested on: 10/18/2005 11:15:54 AM avast! - copyright (c) 1988-2004 ALWIL Software. http://www.avast.com From owner-freebsd-pf@FreeBSD.ORG Tue Oct 18 15:52:31 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 974C116A41F for ; Tue, 18 Oct 2005 15:52:31 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 02D8743D45 for ; Tue, 18 Oct 2005 15:52:30 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3EB48.dip.t-dialin.net [84.163.235.72] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML2Dk-1ERtl61lSf-0002UO; Tue, 18 Oct 2005 17:52:12 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Tue, 18 Oct 2005 17:53:13 +0200 User-Agent: KMail/1.8.2 References: <1129185539.14560.25.camel@Ubuntu.tylercentral.com> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2997149.QGEWyT4TIW"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200510181753.27709.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: Per Protocol Traffic Accounting X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2005 15:52:31 -0000 --nextPart2997149.QGEWyT4TIW Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday 18 October 2005 06:23, Travis H. wrote: > "set loginterface interface > > Sets the interface for which PF should gather statistics such as bytes > in/out and packets passed/blocked. Statistics can only be gathered for > one interface at a time. Note that the match, bad-offset, etc., > counters and the state table counters are recorded regardless of > whether loginterface is set or not. To turn this option off, set it to > none. The default is none." "pfctl -vvsI -i " will give you the same stats for every interfa= ce. > Otherwise, couldn't you just use the ifconfig stats? I think there's > a package for exporting this via SNMP, which could be queried using > ifgraph or rrdtool. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2997149.QGEWyT4TIW Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDVRp3XyyEoT62BG0RApG3AJ9uWpGcma0dAn+VaplDNrzpDsa/VACeMfHR SLV/wX6lf+PoY6zOPkFSKAw= =yWGi -----END PGP SIGNATURE----- --nextPart2997149.QGEWyT4TIW-- From owner-freebsd-pf@FreeBSD.ORG Tue Oct 18 16:02:15 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 357AA16A445 for ; Tue, 18 Oct 2005 16:02:15 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6351743D46 for ; Tue, 18 Oct 2005 16:02:14 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3EB48.dip.t-dialin.net [84.163.235.72] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML25U-1ERtum2r4e-0006gL; Tue, 18 Oct 2005 18:02:12 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Tue, 18 Oct 2005 18:03:13 +0200 User-Agent: KMail/1.8.2 References: <1129618772.16152.0.camel@Ubuntu.tylercentral.com> In-Reply-To: <1129618772.16152.0.camel@Ubuntu.tylercentral.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1702010.dgCneBN5iy"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200510181803.25142.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: [Fwd: Re: Per Protocol Traffic Accounting] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2005 16:02:15 -0000 --nextPart1702010.dgCneBN5iy Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Take a look at net/pfflowd - it converts pf-states to Cisco NetFlow datagra= ms. =20 There are plenty of tools to graph the result. Alternatively, you can just= =20 put a bpf-consumer to pfsync0 and interpret the state changes accordingly. On Tuesday 18 October 2005 08:59, Tyler wrote: > Hi Travis, > > > Thanks for the reply. However I want to capture data for each > > protocol. So, I'd like to have data for HTTP, SMTP, POP3, etc. I've > > done this before with ipfilter using the "count" command. (Eg. count > > in on de0 from any to any proto http ) > > > > However PF doesn't have the count command. I've set labels on my ACL > > entries, however when a new TCP session is established, the flow stays > > with the "IN" rule because I'm keeping state on the connection. So > > the IN counters show all the bytes Tx'd and Rx'd, and the OUT rule is > > 0 because the flow never hits that rule due to keeping the state. > > > > (Hmm... confusing?) > > > > I was hoping someone out there has done per protocol accounting with > > PF because I can't figure it out. :( > > > > I've also looked at ntop from a suggestion earlier in this thread. > > However I was hoping to find a solution using just PF. > > > > Tyler > > > > On Mon, 2005-10-17 at 23:23 -0500, Travis H. wrote: > > > "set loginterface interface > > > > > > Sets the interface for which PF should gather statistics such as bytes > > > in/out and packets passed/blocked. Statistics can only be gathered for > > > one interface at a time. Note that the match, bad-offset, etc., > > > counters and the state table counters are recorded regardless of > > > whether loginterface is set or not. To turn this option off, set it to > > > none. The default is none." > > > > > > > > > Otherwise, couldn't you just use the ifconfig stats? I think there's > > > a package for exporting this via SNMP, which could be queried using > > > ifgraph or rrdtool. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1702010.dgCneBN5iy Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBDVRzNXyyEoT62BG0RAhHeAJ91US+zYvt6i+gkE6HN9I3imqCwgwCdEmZQ dLX/JLTpHVdmAWWAQgguwmc= =JOsY -----END PGP SIGNATURE----- --nextPart1702010.dgCneBN5iy-- From owner-freebsd-pf@FreeBSD.ORG Fri Oct 21 13:35:26 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A3FF16A41F for ; Fri, 21 Oct 2005 13:35:26 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from mail18.syd.optusnet.com.au (mail18.syd.optusnet.com.au [211.29.132.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id E06D343D46 for ; Fri, 21 Oct 2005 13:35:25 +0000 (GMT) (envelope-from montarotech@optusnet.com.au) Received: from delta (d58-105-86-86.dsl.nsw.optusnet.com.au [58.105.86.86]) by mail18.syd.optusnet.com.au (8.12.11/8.12.11) with SMTP id j9LDZNoE022227 for ; Fri, 21 Oct 2005 23:35:23 +1000 Message-ID: <000b01c5d644$54527f20$0132a8c0@delta> From: "Josh Finlay" To: Date: Fri, 21 Oct 2005 23:35:39 +1000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: FreeBSD + MPD + PF + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Oct 2005 13:35:26 -0000 Hi, I'm using FreeBSD 5.3-RELEASE, and PF as my firewall I realise that this e-mail is not *entirely* PF related, but I thought this might be the best place to get my questions answered. Now I have zero experience with ALTQ but I have read that this is the solution to my problems. I have an ADSL connection, 512kbps up 128kbps down. 3 machines in total on the network. a freebsd router, 2 windows machines. I want to allow a sort of "sharing" of the bandwidth. Most out-of-the-box routers already do this, but I can't afford to fork out for one of those, nor would I like to part with my FreeBSD box. I was wondering if anyone would be able to provide me with some PF/ALTQ rules that would evenly distrobute my bandwidth over the 3 computers? I want it done in a way where: - if 1 pc is using the link, it can use all available bandwidth - if 2 pcs are using the link, it gets split 50/50 - if 3 pcs are using the link, it gets spread evenly over them, etc, etc This would preferable be for downstream AND upstream, to ensure that no single computer is more lagged out than the other one.. I assume this is possible, just a bit outside my knowledge base. Any hands up to write me a quick few PF rules for this? My Local IP addresses are as follows: 192.168.0.101 - router 192.168.0.6 - windows 192.168.0.1 - windows (don't ask about my IP configuration, long story :P) my network interface (has 192.168.0.101 assigned) is de0 my internet interface (has my internet ip assigned) is ng0 (using MPD) I tried a few examples I found, no luck, found another thing I will need to fix first: pfctl: ng0: driver does not support altq I searched for a patch for the ng_iface driver, but no luck. So, now i've decided to take another approach. I've installed a second NIC in my fbsd box so now I've got de0, and vr0 I want de0 for lan traffic it will have an assigned ip 192.168.0.101 and all other machines will use that as their gateway now I want mpd to use vr0, since the vr driver supports altq. How do I go about this? and do I need to do any routing between de0 and vr0 so that client machines using 192.168.0.101 (de0) as their gateway will be able to access the outside world? And also after all that, some nice altq rules as I detailed above in this mail. I hope to hear some solutions soon, this problem has been bugging me for some time now. Regards, Montaro. From owner-freebsd-pf@FreeBSD.ORG Sat Oct 22 07:42:35 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AFA416A420 for ; Sat, 22 Oct 2005 07:42:35 +0000 (GMT) (envelope-from brunomiguel@dequim.ist.utl.pt) Received: from gecea.ist.utl.pt (gecea.ist.utl.pt [193.136.140.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 172FF43D46 for ; Sat, 22 Oct 2005 07:42:34 +0000 (GMT) (envelope-from brunomiguel@dequim.ist.utl.pt) Received: from [66.30.10.101] (c-66-30-10-101.hsd1.ma.comcast.net [66.30.10.101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gecea.ist.utl.pt (Postfix) with ESMTP id AFA2D40C7; Sat, 22 Oct 2005 08:42:32 +0100 (WEST) Message-ID: <4359ED5B.7010303@dequim.ist.utl.pt> Date: Sat, 22 Oct 2005 03:42:19 -0400 From: Bruno Afonso User-Agent: Thunderbird 1.4 (Windows/20050908) MIME-Version: 1.0 To: Josh Finlay References: <000b01c5d644$54527f20$0132a8c0@delta> In-Reply-To: <000b01c5d644$54527f20$0132a8c0@delta> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD + MPD + PF + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Oct 2005 07:42:35 -0000 Hi Josh, Let's hope I can help you somehow :> This is my experience based on a wifi pppoe server for several clients... the thing has been evolving and we're now even using freeradius and sql on a 6.0-RC box to take advantage of PF 3.7's niceties... I'm writing this from my head so the syntax may be wrong in some parts. :) Josh Finlay wrote: > Hi, > > I'm using FreeBSD 5.3-RELEASE, and PF as my firewall > > I realise that this e-mail is not *entirely* PF related, but I thought > this might be the best place to get my questions answered. > > Now I have zero experience with ALTQ > but I have read that this is the solution to my problems. > > I have an ADSL connection, 512kbps up 128kbps down. > 3 machines in total on the network. > > a freebsd router, > 2 windows machines. > > I want to allow a sort of "sharing" of the bandwidth. > Most out-of-the-box routers already do this, but I can't afford to fork > out for one of those, nor would I like to part with my FreeBSD box. > > I was wondering if anyone would be able to provide me with some PF/ALTQ > rules that would evenly distrobute my bandwidth over the 3 computers? Depends on how it's setup... where does mpd get into action here? > > I want it done in a way where: > > - if 1 pc is using the link, it can use all available bandwidth > - if 2 pcs are using the link, it gets split 50/50 > - if 3 pcs are using the link, it gets spread evenly over them, etc, etc This is fairly easy for the upload bw, honestly, the one that you should normally be concerned with. :-) 1) easier way: You simply have to setup altq on the "adsl" interface that pushes the data on the internet. A simple cbq is ok since it does fair-weight-queueing (wfq) to the best of my knowledge (this was said to me by a obsd pf developer). So, you basically setup rules that put the upload bw from those 3 pcs into the same queue. Basically, you simply need to have a rule that gets everything each client sends over to the internet to the queue. *Remember*: You can create for example a pass rule on an interface and assign those packets to a queue on another one. So, ex: tun1 - client 1 tun2 - client 2 fxp0 (assuming rj45 adsl modem?) - internet interface, where you have a queue named "client_upload" altq on fxp0 cbq bw 128Kb (client_upload) queue client_upload cbq(default) pass in on tun1 from (tun1) to any queue client_upload This is the magical part. What is getting IN on tun1 is the user's upload, what will eventually get out on fxp0 when it goes to the internet. You might want to elaborate and add more rules... :) One great way to check what's in and out on whatever interface is to use the utility ifstat, or use systat and check ifstat. Since the user's upload on tun1 is what gets IN, you can't QoS there since altq only QoSs on outgoing of interfaces. So, the only thing you can do on tun1 is to control their DOWNLOAD speed. More about this to come... 2) less trivial one but more powerful: You need to setup a parent queue that has the entire upload bw you want to share and then 3 siblings one. For this to really work you would need to use hfsc and get into account linkshares, realtime... overkill for your setup imho. :-) > This would preferable be for downstream AND upstream, to ensure that no > single computer is more lagged out than the other one.. I assume this is > possible, just a bit outside my knowledge base. The download part is the problematic one IF they're not all connected to the same network interface. Why ? Because altq only works PER interface and tun0, tun1, tun2, etc are each and single one, one interface on its own. You basically have to altq on tun0 altq on tun1, etc.. What we would need in this case would be a meta-interface that altq would work on, but that is not available. Bottom line: you can't control with PF global bw over an interface-span. This is probably necessary for a full commercial deployment. Don't know of any plans to implement this... meta_if {tun0, tun1} altq on meta_1 ... would be nice. :-) > Any hands up to write me a quick few PF rules for this? > > My Local IP addresses are as follows: > 192.168.0.101 - router > 192.168.0.6 - windows > 192.168.0.1 - windows > > (don't ask about my IP configuration, long story :P) > > my network interface (has 192.168.0.101 assigned) is de0 > my internet interface (has my internet ip assigned) is ng0 (using MPD) So, all of your clients are LAN users? altq on ng0 cbq bw 128kb {upload_bw} queue upload_bw cbq(default) clients = {...} pass in on de0 from $clients to !192.168.0.0/24 queue on upload_bw > I tried a few examples I found, no luck, found another thing I will need > to fix first: > > pfctl: ng0: driver does not support altq Isn't this solved in 5.4 or 6.0 ? Please really check that before pursuing other avenues. > > I searched for a patch for the ng_iface driver, but no luck. > > So, now i've decided to take another approach. > > I've installed a second NIC in my fbsd box > > so now I've got de0, and vr0 > > I want de0 for lan traffic > it will have an assigned ip 192.168.0.101 > and all other machines will use that as their gateway > > now I want mpd to use vr0, since the vr driver supports altq. > > How do I go about this? > and do I need to do any routing between de0 and vr0 so that client > machines using 192.168.0.101 (de0) as their gateway will be able to > access the outside world? > > And also after all that, some nice altq rules as I detailed above in > this mail. > > I hope to hear some solutions soon, this problem has been bugging me for > some time now. I'm giving you some tips, I won't do your job. :-) BA -- Bruno Afonso, Biological Engineer Dana-Farber Cancer Institute 1 Jimmy Fund Way Smith Building Boston, MA 02115 phone: (617)-632-5105 GABBA Graduate Student (http://gabba.up.pt) Homepage @ http://brunoafonso.net/ From owner-freebsd-pf@FreeBSD.ORG Sat Oct 22 14:17:42 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC48016A41F for ; Sat, 22 Oct 2005 14:17:42 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67F1643D45 for ; Sat, 22 Oct 2005 14:17:42 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by xproxy.gmail.com with SMTP id t15so610448wxc for ; Sat, 22 Oct 2005 07:17:41 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YBPVdh16TxAvoDLv+uF+C2Md0ZzkJPnpgVMlK/XyOp1w/NObpT7Oscr7xkUEnIpuJm6SVQIBboKA6vM4CCb/GDANLWgCtZBwL6iYsr2YojHmIB67mytK1RVGR3+iQct1KILYLUpVEFQ6e+Alq4mUGYmSgPvpzalUDbP9R10Y21A= Received: by 10.70.71.1 with SMTP id t1mr2415246wxa; Sat, 22 Oct 2005 06:51:22 -0700 (PDT) Received: by 10.70.89.12 with HTTP; Sat, 22 Oct 2005 06:51:21 -0700 (PDT) Message-ID: <55e8a96c0510220651t47fa063ayefd1dcffd63950a6@mail.gmail.com> Date: Sat, 22 Oct 2005 08:51:21 -0500 From: Bill Marquette To: freebsd-pf@freebsd.org In-Reply-To: <4359ED5B.7010303@dequim.ist.utl.pt> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <000b01c5d644$54527f20$0132a8c0@delta> <4359ED5B.7010303@dequim.ist.utl.pt> Subject: Re: FreeBSD + MPD + PF + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Oct 2005 14:17:42 -0000 On 10/22/05, Bruno Afonso wrote: > The download part is the problematic one IF they're not all connected to > the same network interface. Why ? Because altq only works PER interface > and tun0, tun1, tun2, etc are each and single one, one interface on its o= wn. > > You basically have to > > altq on tun0 > > altq on tun1, etc.. > > What we would need in this case would be a meta-interface that altq > would work on, but that is not available. Bottom line: you can't control > with PF global bw over an interface-span. This is probably necessary for > a full commercial deployment. Don't know of any plans to implement this..= . > > meta_if {tun0, tun1} > > altq on meta_1 ... > > would be nice. :-) You mean something like: altq on { fxp0 fxp1 } bandwidth 100Mb hfsc queue { a b } queue a bandwidth 50Mb hfsc(default) queue b bandwidth 50Mb hfsc This works today :) --Bill From owner-freebsd-pf@FreeBSD.ORG Sat Oct 22 15:52:26 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57E6316A41F for ; Sat, 22 Oct 2005 15:52:26 +0000 (GMT) (envelope-from brunomiguel@dequim.ist.utl.pt) Received: from gecea.ist.utl.pt (gecea.ist.utl.pt [193.136.140.145]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E28243D67 for ; Sat, 22 Oct 2005 15:52:19 +0000 (GMT) (envelope-from brunomiguel@dequim.ist.utl.pt) Received: from [66.30.10.101] (c-66-30-10-101.hsd1.ma.comcast.net [66.30.10.101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gecea.ist.utl.pt (Postfix) with ESMTP id 02AA5411A; Sat, 22 Oct 2005 16:52:17 +0100 (WEST) Message-ID: <435A6025.5060602@dequim.ist.utl.pt> Date: Sat, 22 Oct 2005 11:52:05 -0400 From: Bruno Afonso User-Agent: Thunderbird 1.4 (Windows/20050908) MIME-Version: 1.0 To: Bill Marquette References: <000b01c5d644$54527f20$0132a8c0@delta> <4359ED5B.7010303@dequim.ist.utl.pt> <55e8a96c0510220651t47fa063ayefd1dcffd63950a6@mail.gmail.com> In-Reply-To: <55e8a96c0510220651t47fa063ayefd1dcffd63950a6@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD + MPD + PF + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Oct 2005 15:52:26 -0000 Bill Marquette wrote: > On 10/22/05, Bruno Afonso wrote: >> The download part is the problematic one IF they're not all connected to >> the same network interface. Why ? Because altq only works PER interface >> and tun0, tun1, tun2, etc are each and single one, one interface on its own. >> >> You basically have to >> >> altq on tun0 >> >> altq on tun1, etc.. >> >> What we would need in this case would be a meta-interface that altq >> would work on, but that is not available. Bottom line: you can't control >> with PF global bw over an interface-span. This is probably necessary for >> a full commercial deployment. Don't know of any plans to implement this... >> >> meta_if {tun0, tun1} >> >> altq on meta_1 ... >> >> would be nice. :-) > > You mean something like: > altq on { fxp0 fxp1 } bandwidth 100Mb hfsc queue { a b } > queue a bandwidth 50Mb hfsc(default) > queue b bandwidth 50Mb hfsc > This works today :) Yes, I have now tried and verified that it works, but not as we would like to in the sense of a meta interface, eg: altq on { tun0 tun1 tun2 } cbq bandwidth 1Mb queue { a b } queue a bandwidth 700Kb cbq(default) queue b bandwidth 300Kb which turns itself into... (from pfctl -sq) queue root_tun0 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} queue a bandwidth 700Kb cbq( default ) queue b bandwidth 300Kb queue root_tun1 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} queue a bandwidth 700Kb cbq( default ) queue b bandwidth 300Kb queue root_tun2 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} queue a bandwidth 700Kb cbq( default ) queue b bandwidth 300Kb What would I want with this? To create a queue that is shared by every interface, so limiting globally every interface to a maximum of 1Mb each and all of them to 1Mb each too, in a cqb borrowing shared way. For examply, I'd like a to never exceed 700Kb taking into account every interface. This makes perfect sense if I have a limited ammount of bw to share among each client, which, in a real world, happens 99,9% of the time because resources are limited. So, the syntax works, but it does achieve what I mentioned before, the meta interface concept. The example you give is only useful for simplifying rulesets, although it's more difficult for humans to understand. BA -- Bruno Afonso, Biological Engineer Dana-Farber Cancer Institute 1 Jimmy Fund Way Smith Building Boston, MA 02115 phone: (617)-632-5105 GABBA Graduate Student (http://gabba.up.pt) Homepage @ http://brunoafonso.net/ From owner-freebsd-pf@FreeBSD.ORG Sat Oct 22 23:59:30 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBBE216A41F for ; Sat, 22 Oct 2005 23:59:30 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A87543D49 for ; Sat, 22 Oct 2005 23:59:30 +0000 (GMT) (envelope-from bill.marquette@gmail.com) Received: by xproxy.gmail.com with SMTP id r21so80511wxc for ; Sat, 22 Oct 2005 16:59:29 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ouH+E+rPqO3q7AqZosGmbrs2oMC4BB8YI7MaKOuNkfhJ9ta0zxjLKSK0/6J9iypdKLWxs51yX5TfY9fHnjPclIqlc24Ii+Xne5OOddpMq3e0oOApYhBVpyu9swKeQOg7hNnGp93x3OwKG2RfQzbNLJDcTheVODJCXWlG9EJrzD4= Received: by 10.70.103.15 with SMTP id a15mr2663738wxc; Sat, 22 Oct 2005 16:59:29 -0700 (PDT) Received: by 10.70.89.12 with HTTP; Sat, 22 Oct 2005 16:59:29 -0700 (PDT) Message-ID: <55e8a96c0510221659g7ac457b1gc696f392a249fee3@mail.gmail.com> Date: Sat, 22 Oct 2005 18:59:29 -0500 From: Bill Marquette To: Bruno Afonso In-Reply-To: <435A6025.5060602@dequim.ist.utl.pt> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <000b01c5d644$54527f20$0132a8c0@delta> <4359ED5B.7010303@dequim.ist.utl.pt> <55e8a96c0510220651t47fa063ayefd1dcffd63950a6@mail.gmail.com> <435A6025.5060602@dequim.ist.utl.pt> Cc: freebsd-pf@freebsd.org Subject: Re: FreeBSD + MPD + PF + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Oct 2005 23:59:30 -0000 On 10/22/05, Bruno Afonso wrote: > Bill Marquette wrote: > > On 10/22/05, Bruno Afonso wrote: > >> The download part is the problematic one IF they're not all connected = to > >> the same network interface. Why ? Because altq only works PER interfac= e > >> and tun0, tun1, tun2, etc are each and single one, one interface on it= s own. > >> > >> You basically have to > >> > >> altq on tun0 > >> > >> altq on tun1, etc.. > >> > >> What we would need in this case would be a meta-interface that altq > >> would work on, but that is not available. Bottom line: you can't contr= ol > >> with PF global bw over an interface-span. This is probably necessary f= or > >> a full commercial deployment. Don't know of any plans to implement thi= s... > >> > >> meta_if {tun0, tun1} > >> > >> altq on meta_1 ... > >> > >> would be nice. :-) > > > > You mean something like: > > altq on { fxp0 fxp1 } bandwidth 100Mb hfsc queue { a b } > > queue a bandwidth 50Mb hfsc(default) > > queue b bandwidth 50Mb hfsc > > This works today :) > > Yes, I have now tried and verified that it works, but not as we would > like to in the sense of a meta interface, eg: > > altq on { tun0 tun1 tun2 } cbq bandwidth 1Mb queue { a b } > queue a bandwidth 700Kb cbq(default) > queue b bandwidth 300Kb > > > which turns itself into... (from pfctl -sq) > > > queue root_tun0 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} > queue a bandwidth 700Kb cbq( default ) > queue b bandwidth 300Kb > queue root_tun1 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} > queue a bandwidth 700Kb cbq( default ) > queue b bandwidth 300Kb > queue root_tun2 bandwidth 1Mb priority 0 cbq( wrr root ) {a, b} > queue a bandwidth 700Kb cbq( default ) > queue b bandwidth 300Kb > > > What would I want with this? To create a queue that is shared by every > interface, so limiting globally every interface to a maximum of 1Mb each > and all of them to 1Mb each too, in a cqb borrowing shared way. For > examply, I'd like a to never exceed 700Kb taking into account every > interface. This makes perfect sense if I have a limited ammount of bw to > share among each client, which, in a real world, happens 99,9% of the > time because resources are limited. > > So, the syntax works, but it does achieve what I mentioned before, the > meta interface concept. The example you give is only useful for > simplifying rulesets, although it's more difficult for humans to understa= nd. >From what I understand, that binds queue 'a' to every interface. The queue definition still limits the queue itself to 700Kb, but allows you to assign traffic to that queue on each interface that queue is bound to. I can't find the email that I read that suggests it now (machine having recently been wiped and google not being terribly forthcoming with the answer). Have you verified this not working with real traffic, or just the pfctl -sq output? At this time I don't have a multi-interface box at my disposal, so I can't easily test this. --Bill