From owner-freebsd-pf@freebsd.org Wed Sep 16 16:04:18 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CE6029CDA68 for ; Wed, 16 Sep 2015 16:04:18 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 83A651DC3 for ; Wed, 16 Sep 2015 16:04:18 +0000 (UTC) (envelope-from mike@sentex.net) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.15.2/8.15.2) with ESMTP id t8GG4IwZ072885 for ; Wed, 16 Sep 2015 12:04:18 -0400 (EDT) (envelope-from mike@sentex.net) To: freebsd-pf@freebsd.org From: Mike Tancsa Subject: simple altq on RELENG_10 issue X-Enigmail-Draft-Status: N1110 Organization: Sentex Communications Message-ID: <55F992F9.4010701@sentex.net> Date: Wed, 16 Sep 2015 12:04:09 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.75 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Sep 2015 16:04:18 -0000 I am trying to get some simple altq rules working to limit a box from maxing out its allocated bandwidth. Its RELENG_10 (r287826), AMD64. if_re is the interface. altq on $ext_if hfsc bandwidth 1Mb queue { http, other } block in log all pass in log from to any keep state pass in log inet6 from to any keep state pass in log inet6 proto icmp6 from any to any keep state pass in log inet proto icmp from any to any keep state pass in log on $ext_if inet proto tcp from any to any port 22 keep state pass out log on $ext_if proto tcp from any to any port {80,443} queue http pass out log on $ext_if inet6 proto tcp from any to any port {80,443} queue http pass out log on $ext_if from any to any keep state queue other pass out log on $ext_if proto tcp from any to any port {80,443} queue http pass out log on $int_if from any to any keep state pass out log on $ext_if inet6 from any to any keep state queue other pass in log on $ext_if inet6 proto tcp from any to any port {443,22} keep state The interface is 10Mb ethernet. I set the rule to 1Mb just to see if it was an issue of altq not being very accurate. But no matter what, doing a fetch -4 -o /dev/null http://somebigfile has the speed at about 10Mb... Its in the kernel % sysctl -A | grep -i altq options ALTQ_NOPCC options ALTQ_PRIQ options ALTQ_CDNR options ALTQ_HFSC options ALTQ_RIO options ALTQ_RED options ALTQ_CBQ options ALTQ When I start the fetch, looking at the state table pfctl -ss -v -v all tcp xx.yy.zz.9:14313 -> aa.bb.cc.33:80 ESTABLISHED:ESTABLISHED [2866979674 + 66560] wscale 6 [2041348410 + 196224] wscale 6 age 00:00:07, expires in 24:00:00, 2896:5787 pkts, 150721:8613084 bytes, rule 9 id: 0700000055f98086 creatorid: 8451a24d and its the rule @9 pass out log on re0 proto tcp from any to any port = http flags S/SA keep state queue http [ Evaluations: 3 Packets: 13038 Bytes: 13118285 States: 1 ] [ Inserted: uid 0 pid 1836 State Creations: 1 ] -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/