On 10/26/15 8:12 AM, Giancarlo Razzolini wrote:
Are you aware that you'll need to have a queue on the internal interface and another on the egress one right? Queuing incoming packets is very tricky and not always have the desired effect. I suggest you start with prio and see where it leads you: http://quigon.bsws.de/papers/2012/eurobsdcon/mgp00010.html
I shouldn't need a queue on the egress to control bandwidth _to_ internal network hosts.
I've tried the prio route, but it didn't help, probably because of the same trouble with rules matching content.
I suggest you move your match rules to the beginning of the ruleset and use log on them. So you can watch your pflog interface and see the packets being triggered. Also, you can (should) always use tags. Not only they make your ruleset "debugable", but any stray packet should hit a block rule (possibly logging it). I suspect your first three rules aren't matching because you're using the external interface. Try using the internal on them.
0 Match Any gem0 0 0 0 inet from any to 192.168.1.64/32 1 Match Any gem0 0 0 0 inet from any to 192.168.1.57/32 2 Match Any gem0 0 0 0 inet from any to 192.168.1.62/32 3 Match Any gem0 106 32402 0 inet from 192.168.1.64/32 to any 4 Match Any gem0 0 0 0 inet from 192.168.1.57/32 to any 5 Match Any gem0 426 103006 0 inet from 192.168.1.62/32 to any
This is "systat rules" output after putting the host "match" rules first in pf.conf. The test is a page load from 192.168.1.62. The outgoing packets from 192.168.1.62 show non-zero counts. Counts to 192.168.1.62 are zero and that has to be false because the page load succeeded. Further, "iftop" can tally the traffic and "tcpdump" will show it. So why doesn't PF note it?
-Michael
