DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 14th February 2009
ivanatora ivanatora is offline
Real Name: Ivan
Fdisk Soldier
 
Join Date: Jul 2008
Location: Bulgaria
Posts: 51
Thanked 2 Times in 1 Post
Default PF can't match on TOS?

Hello,
I'm trying to build some QoS based on the TOS field in the IP header of the packets going trough my machine in any direction. For now I'm unable to build a rule to match these. There are such packets - I can see them on tcpdump:
Code:
13:38:35.466787 IP (tos 0x30, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.34.47624 > 67.225.240.104.80: R, cksum 0xf6f5 (correct), 1916966715:1916966715(0) win 0
Here is the rule I think should match that packet (but it doesn't):
Code:
int_if = "re0"
ext_if = "rl0"
ext_ip = "192.168.1.2"
table <network>  { 192.168.0.34, 192.168.0.9 }
set state-policy if-bound
scrub in all

altq on $int_if hfsc bandwidth 15Mb queue {download, gen_down, dl_int}
queue gen_down bandwidth 1Mb hfsc (realtime 1Mb upperlimit 1Mb default)
queue download bandwidth 12Mb hfsc (realtime 10Mb upperlimit 15Mb)
queue dl_int bandwidth 2Mb hfsc (realtime 1Mb upperlimit 2Mb)

altq on $ext_if hfsc bandwidth 15Mb queue {upload, gen_up, up_int}
queue gen_up bandwidth 1Mb hfsc (realtime 1Mb upperlimit 1Mb)
queue upload bandwidth 12Mb hfsc (realtime 10Mb upperlimit 15Mb default)
queue up_int bandwidth 2Mb hfsc (realtime 1Mb upperlimit 2Mb)

nat on $ext_if from <network> to any -> $ext_ip
pass quick on $ext_if from <network> tos 0x30 label "int_dl" 
pass log (all to pflog0) quick on $int_if from <network> keep state tag to_data label "?download:" queue download
pass log (all to pflog1) quick on $ext_if tagged to_data label "?upload:" queue upload
I've tried both replacing $int_if and $ext_if in the pass rule, also changing "from <network>" to "to <network>" and it never matches anything.
Any ideas?

Last edited by ivanatora; 15th February 2009 at 10:37 AM.
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
first match vs last match ruleset design (pf vs iptables) zelut FreeBSD Security 5 12th July 2009 08:13 AM


All times are GMT. The time now is 03:54 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick