From owner-freebsd-pf@FreeBSD.ORG Thu May 20 08:29:46 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2A521065680 for ; Thu, 20 May 2010 08:29:46 +0000 (UTC) (envelope-from Aleksej.Spenst@harman.com) Received: from exprod6og110.obsmtp.com (exprod6og110.obsmtp.com [64.18.1.25]) by mx1.freebsd.org (Postfix) with SMTP id 16DB18FC16 for ; Thu, 20 May 2010 08:29:44 +0000 (UTC) Received: from source ([194.121.90.173]) (using TLSv1) by exprod6ob110.postini.com ([64.18.5.12]) with SMTP ID DSNKS/Ty+FnqdYg1IWDP88vt/TGXTBgjZLbk@postini.com; Thu, 20 May 2010 01:29:46 PDT Received: from HIKAWSEX01.ad.harman.com ([fe80::f023:31d4:f809:b22e]) by HIKAWSEX02.ad.harman.com ([::1]) with mapi; Thu, 20 May 2010 10:18:48 +0200 From: "Spenst, Aleksej" To: "'freebsd-pf@freebsd.org'" Date: Thu, 20 May 2010 10:18:47 +0200 Thread-Topic: Ingress traffic shaping Thread-Index: Acr39RJW3BcS4Tp1QRCVo/cO6BBQtw== Message-ID: <20290C577F743240B5256C89EFA753810C3CC9FE50@HIKAWSEX01.ad.harman.com> Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: de-DE, en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Ingress traffic shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 May 2010 08:29:46 -0000 Hi All, If I understand it correctly, ingress traffic shaping is not possible with = pf/altq. Are there any tricks to do it? I suppose that if incoming traffic is sent out by the router further to the= LAN, the incoming traffic can be considered as outcoming traffic and there= fore can be easily shaped. ---- incoming traffic ---> ROUTER ---- shaped o= utcoming traffic ----> So, in this case one can say that ingress traffic can be shaped. In this ma= nner it should be possible to limit TCP download traffic. What if traffic is not forwarded further? ---- incoming traffic ---> END HOST Is it possible to do anything to slow down for example TCP download traffic= ? Drop incoming packets? Drop or slow down outgoing ACKs? I've tried to put outgoing ACKs in the queue with the lowest priority, but = that doesn't help when there is no much other outbound traffic. I also was trying to figure out whether it is possible to forward the incom= ing traffic to the loopback interface and then back to ext_if, so that inco= ming traffic can be considered as outcoming at the loopback interface. ---- incoming traffic ---> ----> ---- shaped outcoming traff= ic ----> but I couldn't configure pf.conf such that this would be possible... Is thi= s theoretically possible? Thanks a lot for any tips! Aleksej.