Re: PF/ALTQ problem : using max states limits breaks queueing

Wed, 07 Nov 2007 18:40:03 -0800 

NetOne - Doichin Dokov P=P0P?P8QP0:

Henning Brauer P=P0P?P8QP0:

* NetOne - Doichin Dokov <[EMAIL PROTECTED]> [2007-11-07 01:57]:

Hello,
I have an OpenBSD 4.2 box set up to shape clients traffic. Each client gets limited by these 4 rules: 

pass in on $int_if from $client_ip to any queue client_in
pass out on $int_if from any to $client_ip queue client_out
pass in on $ext_if from any to $client_ip queue client_out
pass out on $ext_if from $client_ip to any queue client_in
Everything works fine. I now want to limit max states created by each client in each direction to 300, so i modified the rules to be: 

pass in on $int_if from $client_ip to any (max 300) queue client_in
when a packet matches this rule, but there are already 300 states from this rule, the result is a non-match. you need to decide what to do with excess states and put rules in. it could be sth like 

block from $a to $b
pass  from $a to $b keep state (max 300)

to block 'em.


Yup, I gueesed I was wrong with something :) Thank you very much for the
clarification. I'll test and report back later. I guess if it is this
way, though, the documentation needs to be fixed.
That's what the FAQ says here:
http://www.openbsd.org/faq/pf/filter.html#stateopts

max /number/
   Limit the maximum number of state entries the rule can create to
   /number/. If the maximum is reached, packets that would normally
   create state are *dropped* until the number of existing states
   decreases.

Regards,
Doichin
P.S. Henning Brauer: I first submitted this message directly to you instead of misc@, please excuse me for getting this twice.
Because I have no explicit block for traffic on top of the ruleset (because this machine is merely used for routing&shaping only), doing this achieves what i want: 
 block on $if from $a to $b flags any
 pass on $if from $a to $b keep state (max 300) queue $queue
Though, I still see some unexpected behavior, e.g. doing this after loading the ruleset: 
 echo "set limit states 100000" | pfctl -mf -
seems to again make the traffic not limited (dunno why), but pfctl -F all -f /etc/pf.conf fixed it.

Reply via email to