From owner-freebsd-questions@FreeBSD.ORG Wed Dec 5 17:34:57 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C055816A41A for ; Wed, 5 Dec 2007 17:34:57 +0000 (UTC) (envelope-from costin.alupului@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.freebsd.org (Postfix) with ESMTP id 1D95C13C467 for ; Wed, 5 Dec 2007 17:34:56 +0000 (UTC) (envelope-from costin.alupului@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so3273759nfb for ; Wed, 05 Dec 2007 09:34:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date:mime-version:content-type:x-mailer:thread-index:content-language:message-id; bh=nHbwaoMxA6Ha8Y6G5GXyRLC+LDxxEXQX0exciXDNFfY=; b=NqI+gHrBy5r4266mOuKShbR9Pc3PWfvgu88NUCiAsOuNxJ1nuvLKowmqqmp4y8QL5879FqkdU7DoIGkbJ7t06+9NnYP8C+eE3hfbmiWTiwLnTUHcOvRAUsC9MQdR2/Z/kTebhATHwPdVBZQELxUtFNqMNgNt5EHvD6pK5NgHe9U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:from:to:subject:date:mime-version:content-type:x-mailer:thread-index:content-language:message-id; b=iMukuJgsQvUj9eQEy4GAYLrftr6sSdTd3fM+EyiPr85aT63WPeAnKnm7ox9yFm32u/ft0Fg0qE4E5IJEkqfVDmE5iNojYJP+jg9881Q62CB3u4QhnsgKG7mjci58R9z7SthHx5t3mEIOcoG1pzcCev4hZdOI+p7a6Qa60vVCWxk= Received: by 10.86.30.9 with SMTP id d9mr716931fgd.1196876095595; Wed, 05 Dec 2007 09:34:55 -0800 (PST) Received: from Costin ( [91.200.96.2]) by mx.google.com with ESMTPS id d13sm132184fka.2007.12.05.09.34.53 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 05 Dec 2007 09:34:54 -0800 (PST) From: "Costin Alupului" To: Date: Wed, 5 Dec 2007 19:34:30 +0200 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: Acg3ZRWYnHP0QB6ETi6SIVP1KZiTRg== Content-Language: ro Message-ID: <4756e13e.0d375e0a.1925.1173@mx.google.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF, ALTQ queues and keeping state X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Dec 2007 17:34:57 -0000 Hello all, I have a problem and I can't seem to find a solution to it by just goggling; so maybe you can help me. I am trying to set up a traffic shaper using pf and altq with hfsc queues. Actually I did set that up about a year ago and it worked perfectly. But lately the number of clients increased dramatically and I had to switch to statefull inspection because otherwise there would be just too many rules to check for every packet that passed the ruleset. Problem is: when I add "keep state" to the rules that assign traffic to the queues, traffic goes in the default queue instead. Here is an example of queue assignment that I tried to use (em2 is facing the clients, vlan0 is facing the Internet): pass out quick on vlan0 from $client1 to any keep state queue ul_client1 pass out quick on em2 from any to $client1 keep state queue dl_client1 pass in quick on vlan0 from any to $client1 keep state pass in quick on em2 from $client1 to any keep state Well, you can imagine that this is just a test set-up; actually the idea would be to have just one rule for passing traffic inbound on each interface. I have read in some article that I should assign traffic when passing in on an interface if I am to use statefull inspection and I would like to mention that I have tried that already. I have tried even to assign traffic to upload and download queues on the same interface (I.E.: in on em2 = upload, out on em2 = download). Finally I tried something desperate like: pass out quick on vlan0 from $client1 to any keep state queue ul_client1 pass out quick on em2 from any to $client1 keep state queue dl_client1 pass in quick on vlan0 from any to $client1 keep state queue dl_client1 pass in quick on em2 from $client1 to any keep state queue ul_client1 Thing is, of course, that didn't work either. I always heard that one should assign traffic to queues on the outbound rules, but I found a link somewhere on the OpenBSD faq that stated that in fact I can assign traffic wherever I like, given that I declare ALTQ on the right interface. But nowhere did they say that I can't use keep state when assigning traffic to the queues. All is Ok if I just loose the "keep state" from the rules, so that is the reason why I didn't include the altq and queue declarations (those are really ok). Does anyone know what is the workaround this? Because really without statefull inspection my machine is simply beaten; there are about 2000 queues and the traffic throughput is around 10kpps. If anyone has a better idea I would be extremely grateful. Thank you very much, Costin Alupului