Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 12th October 2008
plexter plexter is offline
Shell Scout
Join Date: May 2008
Posts: 124
Question PF w/ ALTQ - Queue errors exceeding bandwidth

Hello all,

I've been trying to get PF ALTQ setup and for the life of me I cannot figure out what the errors below are meaning, or at least what they are asking me to change. I have tried playing around with the values with no luck! I'm hoping someone here can assist with setting this up.

Before I get into the errors I will first outline what I am trying to accomplish with ALTQ.

I have chosen to work with HFSC as it seemed like the best option for VOIP. If this was an incorrect choice please let me know.

My ALTQ is supposed to help reduce network congestion as I am using both time sensitive and non-time sensitive services. However I would have preferred my total bandwidth to be shared by all the queues (borrow w/ CBQ) as I do not really care if one queue takes up most or all of the bandwidth as long as it gives it back when something like VOIP needs it.

VOIP vs bittorent basically. So I am looking to firstly prioritize VOIP over everything so my calls still work while also making sure traffic still flows (even if it is slower) and finally I am trying to optimize the flow of Ack's as I am on an ADSL line.

My ALTQ Section:
altq on $ext_if bandwidth 600Kb hfsc queue { ack, dns, ssh, webftp, bitt, voip, rdpvnc, general }

queue ack priority 7 qlimit 500 hfsc (realtime 20% red ecn)
Note: I am not sure how much I should devote to ACK packets --comments?

queue voip priority 6 qlimit 500 hfsc (realtime 65% red enc)
queue dns priority 5 qlimit 500 hfsc (realtime 5% red ecn)
queue ssh priority 4 qlimit 500 hfsc (realtime 2% red ecn) {ssh_login, ssh_bulk}
queue ssh_login priority 4 qlimit 500
queue ssh_bulk priority 3 qlimit 500
rdpvnc priority 4 qlimit 500 hfsc (realtime 3% red ecn)
webftp priority 4 qlimit 500 hfsc (upperlimit 70% red ecn)
games priority 2 qlimit 500 hfsc (upperlimit 70% red ecn)
bitt     priority 3 qlimit 500 hfsc (upperlimit 80% red enc)
general priority 1 qlimit 500 hfsc (upperlimit 75% red ecn default)
I won't bother writing all of the errors however I basically get a screen full and then some of the following when running PF:

pfctl: linkshare sc exceeds parent's sc 
/etc/pf.conf:34: errors in queue definition
pfctl: the sum of the child bandwidth higher than parent "root_fxp0" 
pfctl: linkshare sc exceeds parent's sc
/etc/pf.conf:35: errors in queue definition
parent ssh not found for ssh_login
/etc/pf.conf:36: errors in queue definition

Line 35 as an example is the start of my SSH queue

....and on and on...
My pass rules (temporary):

pass out quick on $ext_if inet proto udp from any to any port 5060 keep state queue (voip, ack)
pass out quick on $ext_if inet proto udp from any to any port domain keep state queue (dns, ack)
pass out quick on $ext_if inet proto tcp from any to any port ssh modulate state queue (ssh_bulk, ssh_login)
pass out quick on $ext_if inet proto (tcp, udp) from any to any keep state queue (general, ack)

and I have one for each queue...
Also I am unclear as to how I should be placing the ACK queue. Have I done this correctly by adding it as the TOS queue on all queues?

Anyway hope someone can help!
Reply With Quote

altq, openbsd 4.3, pf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PF-queue ultranothing OpenBSD Security 3 1st September 2009 05:24 PM
Webserver email queue Yuka FreeBSD General 5 12th November 2008 12:52 AM
ALTQ Question regarding RudiK FreeBSD Security 4 23rd July 2008 01:59 PM
[PF] Problem with ftp and ALTQ gotian FreeBSD Security 1 22nd July 2008 11:25 PM
Queuing with PF and ALTQ Weaseal FreeBSD Security 1 22nd July 2008 05:18 PM

All times are GMT. The time now is 02:08 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick