On Sun, Dec 22, 2002 at 11:24:57PM -0500, Michael Lucas wrote:
> When I add a ToS field to that same rule, it appears that that rule is
> not being processed; instead, it uses the default "pass all" rule and
> queue. My first thought is that the ToS is wrong, but it's taken
> right from Henning Brauer's altq/pf integration message, and I'm
> assuming he's infallible. There's probably some subtlety that I'm
> missing.
yeah, the subtlety you're missing is that I'm not infallible ;-)
the problem we didn't take into account was the fact that the fist packets
of a ssh connection which create the state and thus assign the queue have a
tos of zero, and the "right" tos is set later during the connection.
> pass out inet proto tcp from ($ExtIf) to any port 22 keep state tos 0x10 queue ssh
you want to follow /usr/share/pf/queue2 instead:
pass out on $ext_if inet proto tcp from any to any port 22 \
keep state queue(ssh_bulk, ssh_interactive)
> I'm not passing any packets over my SSH rules, but I am passing
> packets over the "pass all" rule. Am I misunderstanding ToS? Is the
> documentation wrong, and does interactive SSH actually use some other
> ToS? Do I obviously need more sleep, because something obvious is
> staring in my face?
the docs have been fixed in the meantime ;-)
--
http://2suck.net/hhwl.html
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)
