View Single Post
Old 9th December 2008
ivanatora ivanatora is offline
Real Name: Ivan
Fdisk Soldier
 
Join Date: Jul 2008
Location: Bulgaria
Posts: 51
Default

I'm here again with a bit different approach.
I've read that there is a PF option - "state-policy" that should be "if-bound" if I want to match traffic in different directions. Otherwise the created state would float from one interface to other and I could not shape upload and download differently.
I make one default queue for each interface, and two specialized 'limited' queues, too. I've wrote some rules, but the problem is that traffic never goes assigned to the limited queues. And it is pretty puzzling to me, because I see there are packets matching these labels.
Here again is my pf.conf:
Code:
### Macros
int_if = "re0"
ext_if = "rl0"
ext_ip = "192.168.1.2"

### Tables
table <network>  { 192.168.0.34, 192.168.0.223 }
table <tusite>  { 222.111.111.222 }
### Options
set state-policy if-bound
### Normalizations
scrub in all

### Queueing

altq on $int_if hfsc bandwidth 8Mb queue {download, gen_down}
queue gen_down bandwidth 4Mb hfsc (realtime 2Mb upperlimit 2Mb default)
queue download bandwidth 2Mb hfsc (realtime 1Mb upperlimit 1536Kb)

altq on $ext_if hfsc bandwidth 8Mb queue {upload, gen_up}
queue gen_up bandwidth 4Mb hfsc (realtime 2Mb upperlimit 2Mb default)
queue upload bandwidth 1Mb hfsc (realtime 512Kb upperlimit 768Kb)

### Translation
nat on $ext_if from <network> to any -> $ext_ip

### Filtering
pass in log (all to pflog0) quick on $int_if from <network> to <tusite> keep state tag to_data label "to_data" queue upload
pass out log (all to pflog1) quick on $ext_if tagged to_data label "from_data" queue download
Here is some output from pftop, showing all traffic goes assigned to the default queues:
Code:
pfTop: Up Queue 1-6/6, View: queue, Cache: 10000                           20:48:19

QUEUE               BW SCH  PR   PKTS  BYTES  DROP_P DROP_B QLEN BORR SUSP P/S  B/S
root_re0         8000K hfsc  0      0      0       0      0    0             0    0
 gen_down        4000K hfsc     63051 10784K      38  34460   42           226 248K
 download        2000K hfsc         0      0       0      0    0             0    0
root_rl0         8000K hfsc  0      0      0       0      0    0             0    0
 gen_up          4000K hfsc    112576   133M       0      0    0           225 171K
 upload          1000K hfsc         0      0       0      0    0             0    0
And here is the most annoying thing - seeing traffic per label in PF - I see there are packets matching these rules:
Code:
# pfctl -s label
to_data 205761 9262 8544433 3647 155866 5615 8388567
from_data 205755 9262 8544433 5615 8388567 3647 155866
If so, why there is no traffic in the specialized queues?
Reply With Quote