Hi,
This seems counterintuitive, but there's probably a perfectly good
reason. i386 -current updated on 12/14.
The rules below process everything as I would expect, with the last
matching packet filtering rule being hit and passing the appropriate
packets.
When I add a ToS field to that same rule, it appears that that rule is
not being processed; instead, it uses the default "pass all" rule and
queue. My first thought is that the ToS is wrong, but it's taken
right from Henning Brauer's altq/pf integration message, and I'm
assuming he's infallible. There's probably some subtlety that I'm
missing.
Details follow.
This is my pf.conf file. I have stripped out all sorts of other rules
to try to sort out why I'm seeing this behavior, so that's why some of
the queues don't quite add up and why the rules are so sparse.
----
# grep -v '#' pf.conf
scrub in all
ExtIf="fxp1"
IntIf="fxp0"
IntNet="192.168.1.0/24"
altq on fxp1 cbq bandwidth 100Mb queue {local, t1}
queue t1 bandwidth 1544Kb {ssh, http-in, http-out, mail, dns, ftp, misc}
queue local bandwidth 98456Kb cbq(default)
queue ssh bandwidth 5% cbq(borrow)
queue misc bandwidth 1% cbq(borrow)
nat on $ExtIf inet from $IntNet to any -> ($ExtIf)
pass out inet from any to any keep state queue misc
pass out inet proto tcp from ($ExtIf) to any port 22 keep state queue ssh
----
If I zero out my pf counters and make a single SSH connection out, the
statistics go up as I would expect:
(everything is at zero)
openbsdtest/etc;pfctl -vs rules
scrub in all fragment reassemble
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass out inet all keep state queue misc
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass out inet proto tcp from (fxp1) to any port = ssh keep state queue ssh
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
(run a single SSH session, note that the SSH rules goes up.)
openbsdtest/etc;pfctl -vs rules
scrub in all fragment reassemble
[ Evaluations: 9 Packets: 0 Bytes: 0 States: 0 ]
pass out inet all keep state queue misc
[ Evaluations: 9 Packets: 43 Bytes: 8503 States: 5 ]
pass out inet proto tcp from (fxp1) to any port = ssh keep state queue ssh
[ Evaluations: 6 Packets: 38 Bytes: 7903 States: 1 ]
openbsdtest/etc;
So, above, the SSH rule is hit and is used.
Now I go to the SSH rule, and I add the ToS field like so:
pass out inet proto tcp from ($ExtIf) to any port 22 keep state tos 0x10 queue ssh
Per various documentation I've read, this is the ToS for an
interactive SSH session. The rest of the rules remain unchanged.
Reload the rules, flush the counters, check the counters, fire up SSH,
and check the counters again.
openbsdtest/etc;pfctl -f pf.conf
openbsdtest/etc;pfctl -z
pf: rule counters cleared
openbsdtest/etc;pfctl -vs rules
scrub in all fragment reassemble
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass out inet all keep state queue misc
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
pass out inet proto tcp from (fxp1) to any port = ssh tos 0x10 keep state queue ssh
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
(((outside SSH session here)))
openbsdtest/etc;pfctl -vs rules
scrub in all fragment reassemble
[ Evaluations: 9 Packets: 0 Bytes: 0 States: 0 ]
pass out inet all keep state queue misc
[ Evaluations: 9 Packets: 81 Bytes: 16406 States: 6 ]
pass out inet proto tcp from (fxp1) to any port = ssh tos 0x10 keep state queue ssh
[ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ]
openbsdtest/etc;
I'm not passing any packets over my SSH rules, but I am passing
packets over the "pass all" rule. Am I misunderstanding ToS? Is the
documentation wrong, and does interactive SSH actually use some other
ToS? Do I obviously need more sleep, because something obvious is
staring in my face?
==ml
--
Michael Lucas [EMAIL PROTECTED], [EMAIL PROTECTED]
http://www.oreillynet.com/pub/q/Big_Scary_Daemons
Absolute BSD: http://www.AbsoluteBSD.com/
