Hi,
I already write that I wanted to do dynamic shaping.
Here my test rule output from pftop, system is 4.9 :
0 Pass In Q lo0 K 0 0
0 inet6 from any to ::1/128 flags S/SA
1 Pass In Q lo0 K 0 0
0 inet6 from any to fe80::1/128 flags S/SA
2 Pass Out Q lo0 K 0 0
0 inet6 from any to ::1/128 flags S/SA
3 Pass Out Q lo0 K 0 0
0 inet6 from any to fe80::1/128 flags S/SA
4 Pass In Q lo0 K 0 0
0 inet from any to 127.0.0.1/32 flags S/SA
5 Pass Out Q lo0 K 0 0
0 inet from any to 127.0.0.1/32 flags S/SA
6 Pass Out Q K 0 0
0 from <admin> to any flags S/SA
7 Pass Out Q K 0 0
0 inet from 192.168.3.0/24 to any flags S/SA
8 Pass In Q K 3 234
3 from <admin> to any flags S/SA
9 Pass In Q K 93 11132
49 inet from 192.168.3.0/24 to any flags S/SA
10 Pass In Q ext_if udp K 0 0
0 inet from 10.5.16.255/32 port = 698 to any
11 Pass In K 3114 287664
35 all flags S/SA
12 Pass Out K 2790 234360
9 all flags S/SA
13 Pass Out em0 K 135 39103
21 from <second> to any flags S/SA queue second
Now, will downloading, if I add a address to <second>
with pfctl, it won't shape it until I stop de download and
restart it. After adding the address to the table, I clear
state for this address
pfctl -t second -T add 10.254.200.2
pfctl -k 10.254.200.2
Even try
pfctl -F all -f /etc/pf.conf
without result, it will stay on default
Once I stop and restart my download, it will pass
trough second but that not what I need, I wanted to
shape automaticly those who take too much
bandwith.
When restarted my download and I pass trough second,
if I delete the address from the tab and clear the state
again, it will change to the default queue.
pfctl -t second -T del 10.254.200.2
pfctl -k 10.254.200.2
But if I try to shape 10.254.200.2 again by adding it to
second tab, I must restart my download again.
Is it normal or a behaviure ?
Le 2011-09-07 17:25, Michel Blais a icrit :
Hi all,
thanks for your help and tips.
I have do some testing when I add some free time.
I finally got it working by creating the queue on my internal
if (now em1 instead of re1)
altq on $int_if hfsc bandwidth 97Mb qlimit 500 queue { main, second }
queue main on $int_if bandwidth 1Mb qlimit 250 priority 4
hfsc(upperlimit 97Mb default)
queue second on $int_if bandwidth 1Mb qlimit 250 priority 0
hfsc(upperlimit 1Mb)
and using the following rules
pass out on $ext_if from $my_ip queue depri
2 things I don't understand :
1 - pass out on external if = traffic going out on WAN
this should be upload then
download should be pass in on external if or
out on internal if, right ?
Why must I use a rule on upload to shape download ?
Also, on the bob exemple of queue faq :
http://openbsd.org/faq/pf/queueing.html
Queue is on external if (just like me) but rules
pass out on dc0 to $bob queue bob_in
is also out on internal if.
Why must I do my out rules on external if ?
Is the FAQ wrong ?
2 - I can't use match to transfert traffic in a queue ?
If I use
match out on $ext_if from $my_ip queue depri
instead of
pass out on $ext_if from $my_ip queue depri
then it doesn't work anymore
From what I understand from match rule, it should always
be apply like a quick rule without altering pass or block rule.
Am I wrong ? That would be perfect for my queue rules
because queue will change dynamically. I know I could do
my shaping rules without match but I will have more
exception to take care of.
Also, I can see on a mail from william.dun...@gmail.com
subject : Re: match queue ignored
After further experimentation, I found out the following:
"match queue" overrides:
- a previous "match queue" assignment
- the default queue
Was it add on 5.0 ?
I'm using 4.9
My rule set that work fine from pftop output
after a speed test :
RULE ACTION DIR LOG Q IF PR K PKTS BYTES
STATES MAX INFO
0 Pass In Q lo0 K 0 0
0 inet6 from any to ::1/128 flags S/SA
1 Pass In Q lo0 K 0 0
0 inet6 from any to fe80::1/128 flags S/SA
2 Pass Out Q lo0 K 0 0
0 inet6 from any to ::1/128 flags S/SA
3 Pass Out Q lo0 K 0 0
0 inet6 from any to fe80::1/128 flags S/SA
4 Pass In Q lo0 K 0 0
0 inet from any to 127.0.0.1/32 flags S/SA
5 Pass Out Q lo0 K 0 0
0 inet from any to 127.0.0.1/32 flags S/SA
6 Pass Out Q K 0 0
0 from <admin> to any flags S/SA
7 Pass Out Q K 0 0
0 inet from 192.168.3.0/24 to any flags S/SA
8 Pass In Q K 3 571
2 from <admin> to any flags S/SA
9 Pass In Q K 6 354
6 inet from 192.168.3.0/24 to any flags S/SA
10 Pass In ext_if K 0 0
0 all flags S/SA
11 Pass Out ext_if K 0 0
0 all flags S/SA
12 Pass In int_if K 0 0
0 all flags S/SA
13 Pass Out int_if K 0 0
0 all flags S/SA
14 Pass Out em0 K 7070 6572775
24 inet from 10.254.200.2/32 to any flags S/SA queue depri
PFtop -v rules output after a other speed test
RULE ACTION DIR LOG Q IF PR K PKTS BYTES
STATES MAX INFO
0 Pass In Q lo0 K 0 0
0 inet6 from any to ::1/128 flags S/SA
1 Pass In Q lo0 K 0 0
0 inet6 from any to fe80::1/128 flags S/SA
2 Pass Out Q lo0 K 0 0
0 inet6 from any to ::1/128 flags S/SA
3 Pass Out Q lo0 K 0 0
0 inet6 from any to fe80::1/128 flags S/SA
4 Pass In Q lo0 K 0 0
0 inet from any to 127.0.0.1/32 flags S/SA
5 Pass Out Q lo0 K 0 0
0 inet from any to 127.0.0.1/32 flags S/SA
6 Pass Out Q K 20 1120
0 from <admin> to any flags S/SA
7 Pass Out Q K 0 0
0 inet from 192.168.3.0/24 to any flags S/SA
8 Pass In Q K 1 78
1 from <admin> to any flags S/SA
9 Pass In Q K 4 384
3 inet from 192.168.3.0/24 to any flags S/SA
10 Pass In ext_if K 0 0
0 all flags S/SA
11 Pass Out ext_if K 0 0
0 all flags S/SA
12 Pass In int_if K 0 0
0 all flags S/SA
13 Pass Out int_if K 0 0
0 all flags S/SA
14 Match Out em0 0 0
0 inet from 10.254.200.2/32 to any queue depri
Thanks
Michel
--
Michel Blais
Administrateur riseau / Network administrator
Targo Communications
www.targo.ca
514-448-0773
