|
FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
PF can't match on TOS?
Hello,
I'm trying to build some QoS based on the TOS field in the IP header of the packets going trough my machine in any direction. For now I'm unable to build a rule to match these. There are such packets - I can see them on tcpdump: Code:
13:38:35.466787 IP (tos 0x30, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.34.47624 > 67.225.240.104.80: R, cksum 0xf6f5 (correct), 1916966715:1916966715(0) win 0 Code:
int_if = "re0" ext_if = "rl0" ext_ip = "192.168.1.2" table <network> { 192.168.0.34, 192.168.0.9 } set state-policy if-bound scrub in all altq on $int_if hfsc bandwidth 15Mb queue {download, gen_down, dl_int} queue gen_down bandwidth 1Mb hfsc (realtime 1Mb upperlimit 1Mb default) queue download bandwidth 12Mb hfsc (realtime 10Mb upperlimit 15Mb) queue dl_int bandwidth 2Mb hfsc (realtime 1Mb upperlimit 2Mb) altq on $ext_if hfsc bandwidth 15Mb queue {upload, gen_up, up_int} queue gen_up bandwidth 1Mb hfsc (realtime 1Mb upperlimit 1Mb) queue upload bandwidth 12Mb hfsc (realtime 10Mb upperlimit 15Mb default) queue up_int bandwidth 2Mb hfsc (realtime 1Mb upperlimit 2Mb) nat on $ext_if from <network> to any -> $ext_ip pass quick on $ext_if from <network> tos 0x30 label "int_dl" pass log (all to pflog0) quick on $int_if from <network> keep state tag to_data label "?download:" queue download pass log (all to pflog1) quick on $ext_if tagged to_data label "?upload:" queue upload Any ideas? Last edited by ivanatora; 15th February 2009 at 10:37 AM. |
|
|||
I've added log all to pflog1 to the rule and now tcpdump on pflog1 shows strange things. (I've removed the logging option for the ex-pflog1 rule). It should be showing nothing, but in fact it shows every packet going trough the $ext_if:
Code:
# tcpdump -nevi pflog1 12:21:58.555064 rule 4294967295/0(match): pass in on rl0: (tos 0x50, ttl 119, id 63193, offset 0, flags [DF], proto TCP (6), length 64) 79.100.183.215.17771 > 192.168.0.34.40556: [|tcp] 12:21:58.555458 rule 4294967295/0(match): pass out on rl0: (tos 0x0, ttl 63, id 8391, offset 0, flags [DF], proto TCP (6), length 1492) 192.168.1.2.52251 > 79.100.183.215.17771: [|tcp] ... Second - what is that "rule 4294967295/0(match)" ? I obviosly doesn't have so much rules. Which rule is matched? Third - do "scrub in all" logs to pflog? Fourth - what are these sessions doing in pflog? I mean when I fire netstat (on both - the router machine and the 0.34 nat client machine) it doesn't show any of the IPs and ports shown at tcpdump. Last edited by ivanatora; 15th February 2009 at 10:38 AM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
first match vs last match ruleset design (pf vs iptables) | zelut | FreeBSD Security | 5 | 12th July 2009 08:13 AM |