DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 14th February 2009
ivanatora ivanatora is offline
Real Name: Ivan
Fdisk Soldier
 
Join Date: Jul 2008
Location: Bulgaria
Posts: 51
Thanked 2 Times in 1 Post
Default PF can't match on TOS?

Hello,
I'm trying to build some QoS based on the TOS field in the IP header of the packets going trough my machine in any direction. For now I'm unable to build a rule to match these. There are such packets - I can see them on tcpdump:
Code:
13:38:35.466787 IP (tos 0x30, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.34.47624 > 67.225.240.104.80: R, cksum 0xf6f5 (correct), 1916966715:1916966715(0) win 0
Here is the rule I think should match that packet (but it doesn't):
Code:
int_if = "re0"
ext_if = "rl0"
ext_ip = "192.168.1.2"
table <network>  { 192.168.0.34, 192.168.0.9 }
set state-policy if-bound
scrub in all

altq on $int_if hfsc bandwidth 15Mb queue {download, gen_down, dl_int}
queue gen_down bandwidth 1Mb hfsc (realtime 1Mb upperlimit 1Mb default)
queue download bandwidth 12Mb hfsc (realtime 10Mb upperlimit 15Mb)
queue dl_int bandwidth 2Mb hfsc (realtime 1Mb upperlimit 2Mb)

altq on $ext_if hfsc bandwidth 15Mb queue {upload, gen_up, up_int}
queue gen_up bandwidth 1Mb hfsc (realtime 1Mb upperlimit 1Mb)
queue upload bandwidth 12Mb hfsc (realtime 10Mb upperlimit 15Mb default)
queue up_int bandwidth 2Mb hfsc (realtime 1Mb upperlimit 2Mb)

nat on $ext_if from <network> to any -> $ext_ip
pass quick on $ext_if from <network> tos 0x30 label "int_dl" 
pass log (all to pflog0) quick on $int_if from <network> keep state tag to_data label "?download:" queue download
pass log (all to pflog1) quick on $ext_if tagged to_data label "?upload:" queue upload
I've tried both replacing $int_if and $ext_if in the pass rule, also changing "from <network>" to "to <network>" and it never matches anything.
Any ideas?

Last edited by ivanatora; 15th February 2009 at 10:37 AM.
Reply With Quote
  #2   (View Single Post)  
Old 15th February 2009
ivanatora ivanatora is offline
Real Name: Ivan
Fdisk Soldier
 
Join Date: Jul 2008
Location: Bulgaria
Posts: 51
Thanked 2 Times in 1 Post
Default

I've added log all to pflog1 to the rule and now tcpdump on pflog1 shows strange things. (I've removed the logging option for the ex-pflog1 rule). It should be showing nothing, but in fact it shows every packet going trough the $ext_if:
Code:
# tcpdump -nevi pflog1
12:21:58.555064 rule 4294967295/0(match): pass in on rl0: (tos 0x50, ttl 119, id 63193, offset 0, flags [DF], proto TCP (6), length 64) 79.100.183.215.17771 > 192.168.0.34.40556: [|tcp]
12:21:58.555458 rule 4294967295/0(match): pass out on rl0: (tos 0x0, ttl 63, id 8391, offset 0, flags [DF], proto TCP (6), length 1492) 192.168.1.2.52251 > 79.100.183.215.17771: [|tcp]
...
First - why all the packets are logged in pflog?
Second - what is that "rule 4294967295/0(match)" ? I obviosly doesn't have so much rules. Which rule is matched?
Third - do "scrub in all" logs to pflog?
Fourth - what are these sessions doing in pflog? I mean when I fire netstat (on both - the router machine and the 0.34 nat client machine) it doesn't show any of the IPs and ports shown at tcpdump.

Last edited by ivanatora; 15th February 2009 at 10:38 AM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
first match vs last match ruleset design (pf vs iptables) zelut FreeBSD Security 5 12th July 2009 08:13 AM


All times are GMT. The time now is 07:07 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick