Lower priority of IP packets from/to addresses that cause a lot of traffic

F

fmunkert

Is it possible to use a pf firewall (with ALTQ or other mechanism) to configure bandwidth utilization such that packets from IP addresses who caused a high bandwidth utilization during the last minute or so get a lower priority?

I have examined the ALTQ documentation, but I found no way to do that.

Background: we sometimes have the problem that our Internet connection is slowed down by users doing bulk data transfers (either via FTP, via Windows network shares, via IPSEC tunnels, ...). It is not possible to reserve bandwidth for particular protocols (or to prioritize certain protocols), because we use many IPSEC tunnels, and there are so many different protocols in use that are equally important.
Therefore, I would simply like to slow down packets from users who are causing high traffic, because they expect that they have to wait some time, and it does not matter whether or not the bulk transfer takes 10% more time.

Many thanks in advance for any hints.
 
Bulk traffic can be separated from interactive traffic by using a second queue on a rule. Give that second queue the lowest priority.

From pf.conf(5):
Code: 
     Packets can be assigned to queues based on filter rules by using the
     queue keyword.  Normally only one queue is specified; when a second one
     is specified it will instead be used for packets which have a TOS of
     lowdelay and for TCP ACKs with no data payload.

     To continue the previous example, the examples below would specify the
     four referenced queues, plus a few child queues.  Interactive ssh(1) ses-
     sions get priority over bulk transfers like scp(1) and sftp(1).  The
     queues may then be referenced by filtering rules (see PACKET FILTERING
     below).

     queue std bandwidth 10% cbq(default)
     queue http bandwidth 60% priority 2 cbq(borrow red) \
           { employees, developers }
     queue  developers bandwidth 75% cbq(borrow)
     queue  employees bandwidth 15%
     queue mail bandwidth 10% priority 0 cbq(borrow ecn)
     queue ssh bandwidth 20% cbq(borrow) { [FILE][B]ssh_interactive, ssh_bulk[/B][/FILE] }
     queue  ssh_interactive bandwidth 50% priority 7 cbq(borrow)
     queue  ssh_bulk bandwidth 50% priority 0 cbq(borrow)

     block return out on dc0 inet all queue std
     pass out on dc0 inet proto tcp from $developerhosts to any port 80 \
           queue developers
     pass out on dc0 inet proto tcp from $employeehosts to any port 80 \
           queue employees
     pass out on dc0 inet proto tcp from any to any port 22 \
           queue(ssh_bulk, ssh_interactive)
     pass out on dc0 inet proto tcp from any to any port 25 \
           queue mail

I use something similar for bittorrent traffic (which I want to defer to every other type of traffic, except for ACKs which need to be handled in a timely fashion):

Code: 
queue torrent   priority 1      qlimit 0 (i.e. lowest priority)
queue toracks   priority 2      qlimit 0 (slightly higher priority)
[...]
pass  in quick inet proto tcp all user rtorrent keep state (max-src-conn 10, max-src-conn-rate 10/5, overload <bruteforce> flush global) 
queue( torrent, toracks )

So basically bittorrent traffic takes a back seat to everything else running on my system, like mail, ssh, and http. Works fine.
 
In your example, you assign lower priority to packets based on the port number. As I wrote in my original post, I cannot do that because I do not know in advance which protocols (ports) will cause bulk traffic; furthermore, we use VPN tunnels that hide the port numbers.

Therefore my question was whether pf can dynamically lower the priority of sessions that have exceeded a certain bandwidth during the last minute.

Regards
- Frank
 
No. You'd have to script something around it. Note that, in my particular case, I select on user (can be anything that pf understands in a queue rule, like user, group, protocol, port, source, destination).
 
You must log in or register to reply here.
Back
Top