From owner-freebsd-pf@FreeBSD.ORG Fri May 21 06:36:47 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D0081065673 for ; Fri, 21 May 2010 06:36:47 +0000 (UTC) (envelope-from Aleksej.Spenst@harman.com) Received: from exprod6og106.obsmtp.com (exprod6og106.obsmtp.com [64.18.1.191]) by mx1.freebsd.org (Postfix) with SMTP id 26BE18FC0C for ; Fri, 21 May 2010 06:36:45 +0000 (UTC) Received: from source ([194.121.90.173]) (using TLSv1) by exprod6ob106.postini.com ([64.18.5.12]) with SMTP ID DSNKS/Yp/WKgboFMNcfOlJQGJ+KU94LEtz8M@postini.com; Thu, 20 May 2010 23:36:46 PDT Received: from HIKAWSEX01.ad.harman.com ([fe80::f023:31d4:f809:b22e]) by HIKAWSEX02.ad.harman.com ([::1]) with mapi; Fri, 21 May 2010 08:36:43 +0200 From: "Spenst, Aleksej" To: 'shoks' Date: Fri, 21 May 2010 08:36:42 +0200 Thread-Topic: Ingress traffic shaping Thread-Index: Acr4j8FpU5/JgCEVToSiDoU4SqvLswAFkrUQ Message-ID: <20290C577F743240B5256C89EFA753810C3CC9FE53@HIKAWSEX01.ad.harman.com> References: <20290C577F743240B5256C89EFA753810C3CC9FE50@HIKAWSEX01.ad.harman.com> In-Reply-To: Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: de-DE, en-US MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-pf@freebsd.org" Subject: AW: Ingress traffic shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2010 06:36:47 -0000 >> If I understand it correctly, ingress traffic shaping is not possible wi= th pf/altq. >> Are there any tricks to do it? > Not really tricky, a diligent read of the PF and ALTQ doc should help you= figure out the right configs. Would you mind posting your PF configs, the = one without the loopback redirection? Thank you for your answer, but it's clear to me how to configure the first = described case when the incoming traffic is forwarded further to the LAN an= d shaped as outcoming traffic at the router. My questions are more general.= First I would like to know whether it is at all possible and then how it c= an be done (not necessarily in terms of configuration). At the moment I see that if traffic is forwarded further to the LAN, it mig= ht work somehow as discussed in the previous message from Raymond. However, I also see that if the incoming traffic is not forwarded further i= t is not possible to slow it down somehow and this is now my big problem: I= can't do anything with pf/altq to slow down the download traffic. That is = why I'm asking whether there are any tricks to do it. I'm wondering if my e= xample with loopback redirection can theoretically work... then I would thi= nk about proper configuratinon. What I feel now is that forwarding of packe= ts between different interfaces within one host doesn't use queues as expec= ted, probably the packets are somehow internally forwarded between interfac= es and not properly sent via queues as they would be if sent outside. I use= "route-to" for sending packets from ext_if to lo0 and "rdr" for sending th= em back from lo0 to ext_if and I see that the queues at the lo0 interface (= where I could shape the traffic) are always empty... Having written this I'= ve realised that I have to give my pf.conf. Sorry, this is exactly what yo= u haven't asked for, but maybe you can help :) # ---------------------------------------------------- # pf.conf: redirection of ingress traffic from $ext_if to loopback interfac= e $lo and then back to $ext_if # this is to be able to shape ingress traffic with altq when sending it fro= m $lo # in terms of data connection this works fine ### Queue configuration altq on $lo priq bandwidth 50Kb queue{q1,q2} queue q1 priority 14 priq queue q2 priority 0 priq (default) ### Rdr rule rdr on $lo -> $ext_if0 ### Filtering block in log block out log pass in log on $lo pass out log quick on $lo queue q2 pass in log on $ext_if0 route-to $lo pass out log on $ext_if0 # ---------------------------------------------------- Problem: q2 queue is always empty (actually it contains always only 1 incom= ing ACK packet when the TCP download session is over, but no incoming data = packets). Thanks for any help! Aleksej. ________________________________ Von: shoks [mailto:lowbotskie@gmail.com] Gesendet: Freitag, 21. Mai 2010 04:46 An: Spenst, Aleksej Cc: freebsd-pf@freebsd.org Betreff: Re: Ingress traffic shaping On Thu, May 20, 2010 at 4:18 PM, Spenst, Aleksej > wrote: Hi All, If I understand it correctly, ingress traffic shaping is not possible with = pf/altq. Are there any tricks to do it? Not really tricky, a diligent read of the PF and ALTQ doc should help you f= igure out the right configs. Would you mind posting your PF configs, the on= e without the loopback redirection? I suppose that if incoming traffic is sent out by the router further to the= LAN, the incoming traffic can be considered as outcoming traffic and there= fore can be easily shaped. ---- incoming traffic ---> ROUTER ---- shaped o= utcoming traffic ----> So, in this case one can say that ingress traffic can be shaped. In this ma= nner it should be possible to limit TCP download traffic. What if traffic is not forwarded further? ---- incoming traffic ---> END HOST Is it possible to do anything to slow down for example TCP download traffic= ? Drop incoming packets? Drop or slow down outgoing ACKs? I've tried to put outgoing ACKs in the queue with the lowest priority, but = that doesn't help when there is no much other outbound traffic. I also was trying to figure out whether it is possible to forward the incom= ing traffic to the loopback interface and then back to ext_if, so that inco= ming traffic can be considered as outcoming at the loopback interface. ---- incoming traffic ---> ----> ---- shaped outcoming traff= ic ----> but I couldn't configure pf.conf such that this would be possible... Is thi= s theoretically possible? Thanks a lot for any tips! Aleksej. _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"