I'm here again with a bit different approach.
I've read that there is a PF option - "state-policy" that should be "if-bound" if I want to match traffic in different directions. Otherwise the created state would float from one interface to other and I could not shape upload and download differently.
I make one default queue for each interface, and two specialized 'limited' queues, too. I've wrote some rules, but the problem is that traffic never goes assigned to the limited queues. And it is pretty puzzling to me, because I see there are packets matching these labels.
Here again is my pf.conf:
Code:
### Macros
int_if = "re0"
ext_if = "rl0"
ext_ip = "192.168.1.2"
### Tables
table <network> { 192.168.0.34, 192.168.0.223 }
table <tusite> { 222.111.111.222 }
### Options
set state-policy if-bound
### Normalizations
scrub in all
### Queueing
altq on $int_if hfsc bandwidth 8Mb queue {download, gen_down}
queue gen_down bandwidth 4Mb hfsc (realtime 2Mb upperlimit 2Mb default)
queue download bandwidth 2Mb hfsc (realtime 1Mb upperlimit 1536Kb)
altq on $ext_if hfsc bandwidth 8Mb queue {upload, gen_up}
queue gen_up bandwidth 4Mb hfsc (realtime 2Mb upperlimit 2Mb default)
queue upload bandwidth 1Mb hfsc (realtime 512Kb upperlimit 768Kb)
### Translation
nat on $ext_if from <network> to any -> $ext_ip
### Filtering
pass in log (all to pflog0) quick on $int_if from <network> to <tusite> keep state tag to_data label "to_data" queue upload
pass out log (all to pflog1) quick on $ext_if tagged to_data label "from_data" queue download
Here is some output from pftop, showing all traffic goes assigned to the default queues:
Code:
pfTop: Up Queue 1-6/6, View: queue, Cache: 10000 20:48:19
QUEUE BW SCH PR PKTS BYTES DROP_P DROP_B QLEN BORR SUSP P/S B/S
root_re0 8000K hfsc 0 0 0 0 0 0 0 0
gen_down 4000K hfsc 63051 10784K 38 34460 42 226 248K
download 2000K hfsc 0 0 0 0 0 0 0
root_rl0 8000K hfsc 0 0 0 0 0 0 0 0
gen_up 4000K hfsc 112576 133M 0 0 0 225 171K
upload 1000K hfsc 0 0 0 0 0 0 0
And here is the most annoying thing - seeing traffic per label in PF - I see there are packets matching these rules:
Code:
# pfctl -s label
to_data 205761 9262 8544433 3647 155866 5615 8388567
from_data 205755 9262 8544433 5615 8388567 3647 155866
If so, why there is no traffic in the specialized queues?