Date: Thu, 04 Oct 2007 21:39:53 +0100 From: Tom Judge <tom@tomjudge.com> To: Umar <unix.co@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: altq within anchor Message-ID: <47054F99.5090001@tomjudge.com> In-Reply-To: <13046989.post@talk.nabble.com> References: <13046989.post@talk.nabble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Umar wrote:
> Dear members!
>
> I want to include altq anchor within my pf.conf but i got error.
>
> here is the altqrule file /home/anchor-altq
>
> altq on fxp0 bandwidth 100Mb cbq queue { default, ip4, ip5, ip6, ip7 }
> queue default bandwidth 90Mb cbq (default)
> queue ip bandwidth 90Kb
> queue ip5 bandwidth 90Kb
> queue ip6 bandwidth 90Kb
> queue ip7 bandwidth 90Kb
> anchor altqrules
>
> here is my /etc/pf.conf file
>
> <-------snip-------->
>
> int_if = "fxp0"
> ext_if = "rl0"
> lan_net = "192.168.1.0/24"
>
> # Options: tune the behavior of pf, default values are given.
> set timeout { interval 10, frag 30 }
> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> set timeout { icmp.first 20, icmp.error 10 }
> set timeout { other.first 60, other.single 30, other.multiple 60 }
> set timeout { adaptive.start 0, adaptive.end 0 }
> set limit { states 10000, frags 5000 }
>
> set loginterface none
> set optimization normal
> set block-policy drop
> set require-order yes
> set fingerprints "/etc/pf.os"
>
> # Normalization: reassemble fragments and resolve or reduce traffic
> ambiguities.
> scrub in all
>
> # Bandwidth Shapping
> anchor altqrules
> load anchor altqrules from "/home/anchor-altq"
>
> # Translation: specify how addresses are to be mapped or redirected.
> nat on $ext_if from { $lan_net } to any -> ($ext_if)
>
> pass in quick on lo0 all
> pass in quick on $int_if from $lan_net to any keep state
> pass out on $int_if from any to any keep state
> pass out on $ext_if from any to any keep state
>
> # default deny
> block in log on $ext_if
>
> <-------snip-------->
>
> but when i reload my pf i got the error
>
> Reloading pf rules.
> /etc/pf.conf:36: Rules must be in order: options, normalization, queueing,
> translation, filtering
> /etc/pf.conf:37: Rules must be in order: options, normalization, queueing,
> translation, filtering
> /etc/pf.conf:38: Rules must be in order: options, normalization, queueing,
> translation, filtering
> /etc/pf.conf:39: Rules must be in order: options, normalization, queueing,
> translation, filtering
>
>
> Please help what should i do?
>
> Regards,
>
> Umar Draz
Hi,
As the above messages state the rules must be present in the rules file
in a fixed order:
1) Options
2) Normalization
3) Queueing (Aka ALTQ)
4) Translation (Aka NAT)
5) Filtering
Quote from pf.conf(5):
<quote>
With the exception of macros and tables, the types of statements should
be grouped and appear in pf.conf in the order shown above, as this
matches the operation of the underlying packet filtering engine. By
default pfctl(8) enforces this order (see set require-order below).
</quote>
And again from pf.conf(5)
<quote>
set require-order
By default pfctl(8) enforces an ordering of the statement types in
the ruleset to: options, normalization, queueing, translation,
filtering. Setting this option to no disables this enforcement. There
may be non-trivial and non-obvious implications to an out of order
ruleset. Consider carefully before disabling the order enforcement.
</quote>
Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47054F99.5090001>