Need halp with PF+ALTQ

K

kotobeg

I am new to PF. I tried to read all the available resources about traffic shaping in the PF and guess what I just get full of a stupid mistake but I could not find it in the second day. So a please help me find it.

Code: 
test# uname -a
FreeBSD test.xxx.xxx.xxx 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Mon May 31 13:10:02 EEST 2010     [email]root@test.xxx.xxx.xxx[/email]:/usr/src/sys/i386/compile/AAAAA_K0  i386

Kernel is compiled with all required options for the PF ALTQ.
pf.config
....
Code: 
ext_if="em0"   
int_if="em1"    
external_addr="xxx.xxx.xxx.xxx"
external_net="xxx.xxx.xxx.xxx/29"
internal_net="192.168.111.0/24"
SYN_ONLY="S/FSRA"
icmp_types="{ echoreq, unreach }"

altq on $int_if cbq bandwidth 1500Kb queue { fullspeed, qboss, qdeputy }
queue fullspeed bandwidth 700Kb cbq(default borrow)
queue qboss bandwidth 400Kb priority 2 cbq(borrow)
queue qdeputy bandwidth 300Kb priority 2 cbq(borrow)

table <boss> { 192.168.111.131, 192.168.111.120, 192.168.111.121 }
table <deputy> { 192.168.111.124, 192.168.111.112, 192.168.111.170 }

pass in log quick on $int_if proto TCP from <deputy> to any port { 22, 80, 8080, 2221, 443} no state
pass out log quick on $int_if from any to <deputy> no state queue qdeputy

pass in log quick on $int_if proto TCP from $internal_net to any port { 22, 80, 8080, 2221, 443} no state 
pass out log quick on $int_if from any to $internal_net no state queue boss
.......

I can see traffic on pass out... rules:
Code: 
@16 pass in log quick on em1 proto tcp from <deputy:3> to any port = ssh no state queue qdeputy
  [ Evaluations: 469       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31529 ]
@17 pass in log quick on em1 proto tcp from <deputy:3> to any port = http no state queue qdeputy
  [ Evaluations: 121       Packets: 121       Bytes: 7445        States: 0     ]
  [ Inserted: uid 0 pid 31529 ]
@18 pass in log quick on em1 proto tcp from <deputy:3> to any port = 8080 no state queue qdeputy
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31529 ]
@19 pass in log quick on em1 proto tcp from <deputy:3> to any port = 2221 no state queue qdeputy
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31529 ]
@20 pass in log quick on em1 proto tcp from <deputy:3> to any port = https no state queue qdeputy
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31529 ]
@21 pass out log quick on em1 from any to <deputy:3> no state queue qdeputy
  [ Evaluations: 291       Packets: 156       Bytes: 178797      States: 0     ]
But queues are empty:
Code: 
test# pfctl -vvsq
queue root_em1 on em1 bandwidth 1.50Mb priority 0 cbq( wrr root ) {fullspeed, qboss, qdeputy}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  fullspeed on em1 bandwidth 700Kb cbq( borrow default )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  qboss on em1 bandwidth 400Kb priority 2 cbq( borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  qdeputy on em1 bandwidth 300Kb priority 2 cbq( borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]

Could someone help me understand where where I was wrong.
Best regards,
Konstantin
 
First off: drop the 'no state' stuff. Just keep state on every in/out rule, and add queue statements to all in/out rules. Outbound traffic as a response to inbound traffic will be handled by the queue specified on the inbound pass rule, vice versa. Keeping state ties it all together.
 
Yes I also had such idea. But... It not works...

Code: 
@22 pass in log quick on em1 inet proto tcp from 192.168.111.0/24 to any port = ssh flags S/SA keep state queue boss
  [ Evaluations: 147       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39358 ]
@23 pass in log quick on em1 inet proto tcp from 192.168.111.0/24 to any port = http flags S/SA keep state queue boss
  [ Evaluations: 87        Packets: 2263      Bytes: 2019610     States: 10    ]
  [ Inserted: uid 0 pid 39358 ]
@24 pass in log quick on em1 inet proto tcp from 192.168.111.0/24 to any port = 8080 flags S/SA keep state queue boss
  [ Evaluations: 63        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39358 ]
@25 pass in log quick on em1 inet proto tcp from 192.168.111.0/24 to any port = 2221 flags S/SA keep state queue boss
  [ Evaluations: 63        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39358 ]
@26 pass in log quick on em1 inet proto tcp from 192.168.111.0/24 to any port = https flags S/SA keep state queue boss
  [ Evaluations: 63        Packets: 615       Bytes: 286692      States: 14    ]
  [ Inserted: uid 0 pid 39358 ]
@27 pass out log quick on em1 inet from any to 192.168.111.0/24 flags S/SA keep state queue boss
  [ Evaluations: 90        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39358 ]


Code: 
test# pfctl -vvsq
queue root_em1 on em1 bandwidth 1.50Mb priority 0 cbq( wrr root ) {fullspeed, qboss, qdeputy}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  fullspeed on em1 bandwidth 700Kb cbq( borrow default )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  qboss on em1 bandwidth 400Kb priority 2 cbq( borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  qdeputy on em1 bandwidth 300Kb priority 2 cbq( borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
 
Ok. In this case we haven't any traffic on OUT rules:
Code: 
@16 pass in log quick on em1 proto tcp from <deputy:3> to any port = ssh flags S/SA keep state queue qdeputy
  [ Evaluations: 13950     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39358 ]
@17 pass in log quick on em1 proto tcp from <deputy:3> to any port = http flags S/SA keep state queue qdeputy
  [ Evaluations: 611      [B] Packets: 19533     Bytes: 11082385  [/B]  States: 38    ]
  [ Inserted: uid 0 pid 39358 ]
@18 pass in log quick on em1 proto tcp from <deputy:3> to any port = 8080 flags S/SA keep state queue qdeputy
  [ Evaluations: 7         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39358 ]
@19 pass in log quick on em1 proto tcp from <deputy:3> to any port = 2221 flags S/SA keep state queue qdeputy
  [ Evaluations: 7         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39358 ]
@20 pass in log quick on em1 proto tcp from <deputy:3> to any port = https flags S/SA keep state queue qdeputy
  [ Evaluations: 7         Packets: 108       Bytes: 26242       States: 0     ]
  [ Inserted: uid 0 pid 39358 ]
@21 pass out log quick on em1 from any to <deputy:3> flags S/SA keep state queue qdeputy
  [ Evaluations: 13135     [B]Packets: 0         Bytes: 0[/B]           States: 0     ]
  [ Inserted: uid 0 pid 39358 ]
@22 pass in log quick on em1 inet proto tcp from 192.168.111.0/24 to any port = ssh flags S/SA keep state queue boss
  [ Evaluations: 13135     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39358 ]
@23 pass in log quick on em1 inet proto tcp from 192.168.111.0/24 to any port = http flags S/SA keep state queue boss
  [ Evaluations: 4139      [B]Packets: 102532    Bytes: 69060505[/B]    States: 78    ]
  [ Inserted: uid 0 pid 39358 ]
@24 pass in log quick on em1 inet proto tcp from 192.168.111.0/24 to any port = 8080 flags S/SA keep state queue boss
  [ Evaluations: 760       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 39358 ]
@25 pass in log quick on em1 inet proto tcp from 192.168.111.0/24 to any port = 2221 flags S/SA keep state queue boss
  [ Evaluations: 760       Packets: 1033      Bytes: 944274      States: 0     ]
  [ Inserted: uid 0 pid 39358 ]
@26 pass in log quick on em1 inet proto tcp from 192.168.111.0/24 to any port = https flags S/SA keep state queue boss
  [ Evaluations: 754       Packets: 110921    Bytes: 95258067    States: 19    ]
  [ Inserted: uid 0 pid 39358 ]
@27 pass out log quick on em1 inet from any to 192.168.111.0/24 flags S/SA keep state queue boss
  [ Evaluations: 9417      [B]Packets: 0         Bytes: 0 [/B]          States: 0     ]
  [ Inserted: uid 0 pid 39358 ]

and also have nothing in queue:
Code: 
test# pfctl -vvsq
queue root_em1 on em1 bandwidth 1.50Mb priority 0 cbq( wrr root ) {fullspeed, qboss, qdeputy}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  fullspeed on em1 bandwidth 700Kb cbq( borrow default )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  qboss on em1 bandwidth 400Kb priority 2 cbq( borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  qdeputy on em1 bandwidth 300Kb priority 2 cbq( borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
 
I think the problem is 8.0 Release doesn't work with ALTQ on the em interface.
This has been discussed before and fixed in 8 Stable.

Adri.
 
You was right... System updated up to 8.1 and now I have activities in queue.. Thanks to all - solved...
 
You must log in or register to reply here.
Back
Top