Date: Sat, 6 Jun 2009 19:11:35 +0100 From: =?ISO-8859-1?B?SXN0duFu?= <leccine@gmail.com> To: vila@tesla.cujae.edu.cu Cc: freebsd-pf@freebsd.org Subject: Re: Connmark target Message-ID: <b8592ed80906061111h4157a78cl365d160437b88426@mail.gmail.com> In-Reply-To: <20090606135250.3n87bzp88wc4kgk8@correo.cujae.edu.cu> References: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com> <20090606131545.kk8k1qf7a8oc4os8@correo.cujae.edu.cu> <b8592ed80906061020n1d7f582fh42a0c94dcda2cfe1@mail.gmail.com> <20090606135250.3n87bzp88wc4kgk8@correo.cujae.edu.cu>
next in thread | previous in thread | raw e-mail | index | archive | help
I guess you might want to tag that dscp enabled packets -because pf has no support for that at the moment, at least i cannot see- and put them into th= e queue based on the tag. http://www.openbsd.org/faq/pf/queueing.html#assign <http://www.openbsd.org/faq/pf/queueing.html#assign>Regards, Istvan On Sat, Jun 6, 2009 at 6:52 PM, <vila@tesla.cujae.edu.cu> wrote: > Istv=E1n <leccine@gmail.com> ha escrito: > > Hi! >> >> In general it is a very bad idea to use the same way what you have been >> using before when you are moving to a new platform. You wouldn't use bas= h >> to >> manage win2k8 servers, just to give you an example what I am talking >> about. >> >> The question is: >> >> What do you want to do with pf. Forget about netfilter/conntrack and so >> on. >> What do you want to achieve? >> >> This is the only question. >> >> >> Regards, >> Istvan >> > > I believe you are righ istvan! > > this is the thing: > > I want to make some traffic shapping on both interfaces of a freebsd box. > As u all probably know the real congestion occurs generally on the downli= nk > interface because of the asymmetric nature of some protocols (eg. http) > > on the internal network i have some applications that puts dscp tags to > packets according to different classes of service. the uplink shapping ca= n > be done simply by mathing the corresponding dscp field of each connection > and sending to different queues. (by the way the doc i=B4ve read only pre= sents > TOS mathing and nothing about dscp).. > anyway , the problem arises when the incoming traffic (from the internet) > has no dscp tags and i need to enqueue then accordingly to make the downl= ink > traffic shapping. > > regards, > evelio vila > > > > > >> >> >> On Sat, Jun 6, 2009 at 6:15 PM, <vila@tesla.cujae.edu.cu> wrote: >> >> Ermal Lu=E7i <eri@freebsd.org> ha escrito: >>> >>> >>> On Sat, Jun 6, 2009 at 6:49 PM, <vila@tesla.cujae.edu.cu> wrote: >>> >>>> >>>> Vlad Galu <dudu@dudu.ro> ha escrito: >>>>> >>>>> On Sat, Jun 6, 2009 at 5:57 AM, <vila@tesla.cujae.edu.cu> wrote: >>>>> >>>>>> >>>>>> >>>>>>> Hi folks! >>>>>>> >>>>>>> I=B4m trying to figure out if there is a way to make connection mar= king >>>>>>> in >>>>>>> a >>>>>>> similar way as the iptables=B4s CONNMARK target does? >>>>>>> >>>>>>> Does pf supports this feature? >>>>>>> >>>>>>> My intentions are to tag an outgoing packet, transfer the tag to th= e >>>>>>> hole >>>>>>> connection and then use that tag to mark incoming packets belonging >>>>>>> to >>>>>>> the >>>>>>> same connection. >>>>>>> >>>>>>> Also, i would like then to use that mark to enqueue marked packets = to >>>>>>> hfsc >>>>>>> clases. >>>>>>> >>>>>>> I=B4ve done all of this in linux but never on freebsd, I=B4ve searc= hed in >>>>>>> pf=B4s >>>>>>> man page and the FAQ without success. >>>>>>> >>>>>>> thanks in advance, >>>>>>> >>>>>>> evelio vila >>>>>>> >>>>>>> >>>>>> Hi evelio, see below: >>>>>> -- cut here -- >>>>>> tag <string> >>>>>> Packets matching this rule will be tagged with the specifie= d >>>>>> string. The tag acts as an internal marker that can be use= d >>>>>> to >>>>>> identify these packets later on. This can be used, for >>>>>> example, to >>>>>> provide trust between interfaces and to determine if packet= s >>>>>> have >>>>>> been processed by translation rules. Tags are "sticky", >>>>>> meaning >>>>>> that the packet will be tagged even if the rule is not the >>>>>> last >>>>>> matching rule. Further matching rules can replace the tag >>>>>> with >>>>>> a >>>>>> new one but will not remove a previously applied tag. A >>>>>> packet >>>>>> is >>>>>> only ever assigned one tag at a time. Packet tagging can b= e >>>>>> done >>>>>> during nat, rdr, or binat rules in addition to filter rules= . >>>>>> Tags >>>>>> take the same macros as labels (see above). >>>>>> >>>>>> tagged <string> >>>>>> Used with filter or translation rules to specify that packe= ts >>>>>> must >>>>>> already be tagged with the given tag in order to match the >>>>>> rule. >>>>>> Inverse tag matching can also be done by specifying the ! >>>>>> operator >>>>>> before the tagged keyword. >>>>>> -- and here -- >>>>>> >>>>>> Anyway, I believe that keeping state for the desired outgoing >>>>>> connections should be enough all by itself. You would simply add the >>>>>> >>>>>> >>>>> Indeed no, what i want is also to mark the connection to be able the= n >>>>> to mark incoming packets beloging to the same connection. >>>>> >>>>> "queue <queue>" directive at the end of your pass out rule, even >>>>> >>>>>> though the interface packets go out through is the "external" one, a= nd >>>>>> you want to do shaping on the "internal" one but, as I understand, f= or >>>>>> that you also need floating (not if-bound) states. If I'm wrong, I'd >>>>>> >>>>>> >>>>> i am not sure what you mean with "floating (not if-bound) states" >>>>> could you please explain this. >>>>> >>>>> >>>>>> like somebody with better pf knowledge to correct me :) >>>>>> >>>>>> >>>>> pf(4) is not iptables. So before using it read more about it. >>>> >>>> >>>> I=B4m aware of that. >>> >>> I think its pretty obvius that my post is simply trying to figure out h= ow >>> to achieve with pf something that i use to do with netfilter. >>> >>> I=B4ve read this before but nothing comes up to me. >>> http://www.openbsd.org/faq/pf/tagging.html >>> >>> >>> thanks anyway ermal >>> regards, >>> evelio vila >>> >>> >>> http://home.nuug.no/~peter/pf/en/ >>> >>>> http://www.openbsd.org/faq/pf >>>> >>>> >>>> >>>> thanks for your quick answer vlad. >>>> >>>>> >>>>> evelio vila >>>>> >>>>> >>>>> >>>>> ---------------------------------------------------------------- >>>>> This message was sent using IMP, the Internet Messaging Program. >>>>> >>>>> >>>>> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ= =EDa y >>>>> Educaci=F3n Energ=E9tica >>>>> 9 - 12 de Junio 2009, Palacio de las Convenciones >>>>> ...Por una cultura energ=E9tica sustentable >>>>> www.ciercuba.com_______________________________________________ >>>>> freebsd-pf@freebsd.org mailing list >>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>>>> >>>>> >>>>> >>>> >>>> -- >>>> Ermal >>>> >>>> >>>> >>> >>> ---------------------------------------------------------------- >>> This message was sent using IMP, the Internet Messaging Program. >>> >>> >>> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=ED= a y >>> Educaci=F3n Energ=E9tica >>> 9 - 12 de Junio 2009, Palacio de las Convenciones >>> ...Por una cultura energ=E9tica sustentable >>> www.ciercuba.com_______________________________________________ >>> freebsd-pf@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>> >>> >> >> >> -- >> the sun shines for all >> >> > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=EDa = y > Educaci=F3n Energ=E9tica > 9 - 12 de Junio 2009, Palacio de las Convenciones > ...Por una cultura energ=E9tica sustentable > www.ciercuba.com > --=20 the sun shines for all
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b8592ed80906061111h4157a78cl365d160437b88426>