Ok istvan,
i´ll try this and post results.
by the way, anyone knows if there are plans to include connection mark
capabilities to pf.
i say this because until now is the only way i´ve found to solve my issue.
if anybody knows another way to achieve the same goals, help is really
apriciated.
thanks everyone,
evelio vila
István <[email protected]> ha escrito:
Then we have to investigate the possibility to use those flags ;)
http://groups.google.com/group/bit.listserv.openbsd-pf/browse_thread/thread/dd04e046f70e8ebc#
<http://groups.google.com/group/bit.listserv.openbsd-pf/browse_thread/thread/dd04e046f70e8ebc#>
Regards,
Istvan
On Sat, Jun 6, 2009 at 7:29 PM, <[email protected]> wrote:
unfortunately that would not help me because the whole traffic is all
originated from a single IP address (proxy) so i can not distinguish between
them (that is why i use dscp marks)
even if i could achieved this, there is still the issue about selecting
incoming packets accordingly and direct them to inbound queues (for
downlink traffic shapping).
regards,
evelio vila
István <[email protected]> ha escrito:
I guess you might want to tag that dscp enabled packets -because pf has no
support for that at the moment, at least i cannot see- and put them into
the
queue based on the tag.
http://www.openbsd.org/faq/pf/queueing.html#assign
<http://www.openbsd.org/faq/pf/queueing.html#assign>Regards,
Istvan
On Sat, Jun 6, 2009 at 6:52 PM, <[email protected]> wrote:
István <[email protected]> ha escrito:
Hi!
In general it is a very bad idea to use the same way what you have been
using before when you are moving to a new platform. You wouldn't use
bash
to
manage win2k8 servers, just to give you an example what I am talking
about.
The question is:
What do you want to do with pf. Forget about netfilter/conntrack and so
on.
What do you want to achieve?
This is the only question.
Regards,
Istvan
I believe you are righ istvan!
this is the thing:
I want to make some traffic shapping on both interfaces of a freebsd box.
As u all probably know the real congestion occurs generally on the
downlink
interface because of the asymmetric nature of some protocols (eg. http)
on the internal network i have some applications that puts dscp tags to
packets according to different classes of service. the uplink shapping
can
be done simply by mathing the corresponding dscp field of each connection
and sending to different queues. (by the way the doc i´ve read only
presents
TOS mathing and nothing about dscp)..
anyway , the problem arises when the incoming traffic (from the internet)
has no dscp tags and i need to enqueue then accordingly to make the
downlink
traffic shapping.
regards,
evelio vila
On Sat, Jun 6, 2009 at 6:15 PM, <[email protected]> wrote:
Ermal Luçi <[email protected]> ha escrito:
On Sat, Jun 6, 2009 at 6:49 PM, <[email protected]> wrote:
Vlad Galu <[email protected]> ha escrito:
On Sat, Jun 6, 2009 at 5:57 AM, <[email protected]> wrote:
Hi folks!
I´m trying to figure out if there is a way to make connection
marking
in
a
similar way as the iptables´s CONNMARK target does?
Does pf supports this feature?
My intentions are to tag an outgoing packet, transfer the tag to
the
hole
connection and then use that tag to mark incoming packets belonging
to
the
same connection.
Also, i would like then to use that mark to enqueue marked packets
to
hfsc
clases.
I´ve done all of this in linux but never on freebsd, I´ve searched
in
pf´s
man page and the FAQ without success.
thanks in advance,
evelio vila
Hi evelio, see below:
-- cut here --
tag <string>
Packets matching this rule will be tagged with the specified
string. The tag acts as an internal marker that can be used
to
identify these packets later on. This can be used, for
example, to
provide trust between interfaces and to determine if packets
have
been processed by translation rules. Tags are "sticky",
meaning
that the packet will be tagged even if the rule is not the
last
matching rule. Further matching rules can replace the tag
with
a
new one but will not remove a previously applied tag. A
packet
is
only ever assigned one tag at a time. Packet tagging can be
done
during nat, rdr, or binat rules in addition to filter rules.
Tags
take the same macros as labels (see above).
tagged <string>
Used with filter or translation rules to specify that
packets
must
already be tagged with the given tag in order to match the
rule.
Inverse tag matching can also be done by specifying the !
operator
before the tagged keyword.
-- and here --
Anyway, I believe that keeping state for the desired outgoing
connections should be enough all by itself. You would simply add the
Indeed no, what i want is also to mark the connection to be able
then
to mark incoming packets beloging to the same connection.
"queue <queue>" directive at the end of your pass out rule, even
though the interface packets go out through is the "external" one,
and
you want to do shaping on the "internal" one but, as I understand,
for
that you also need floating (not if-bound) states. If I'm wrong, I'd
i am not sure what you mean with "floating (not if-bound) states"
could you please explain this.
like somebody with better pf knowledge to correct me :)
pf(4) is not iptables. So before using it read more about it.
I´m aware of that.
I think its pretty obvius that my post is simply trying to figure out
how
to achieve with pf something that i use to do with netfilter.
I´ve read this before but nothing comes up to me.
http://www.openbsd.org/faq/pf/tagging.html
thanks anyway ermal
regards,
evelio vila
http://home.nuug.no/~peter/pf/en/
http://www.openbsd.org/faq/pf
thanks for your quick answer vlad.
evelio vila
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
VI Conferencia Internacional de Energía Renovable, Ahorro de Energía
y
Educación Energética
9 - 12 de Junio 2009, Palacio de las Convenciones
...Por una cultura energética sustentable
www.ciercuba.com_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]
"
--
Ermal
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y
Educación Energética
9 - 12 de Junio 2009, Palacio de las Convenciones
...Por una cultura energética sustentable
www.ciercuba.com_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
--
the sun shines for all
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y
Educación Energética
9 - 12 de Junio 2009, Palacio de las Convenciones
...Por una cultura energética sustentable
www.ciercuba.com
--
the sun shines for all
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y
Educación Energética
9 - 12 de Junio 2009, Palacio de las Convenciones
...Por una cultura energética sustentable
www.ciercuba.com
--
the sun shines for all
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y
Educación Energética
9 - 12 de Junio 2009, Palacio de las Convenciones
...Por una cultura energética sustentable
www.ciercuba.com
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
