Re: Help! I'm having Linux foisted on me! (PF queuing woes)
On Tue, Oct 23, 2007 at 02:10:43PM +0200, Henning Brauer wrote: > * Brian <[EMAIL PROTECTED]> [2007-10-22 20:39]: > > Joshua Smith wrote: > > > Out of curiosity what are these two extremely rare cases? > > [snip] > > > > One example off the top of my head (and ipsec.conf(5)) is the enc0 > > interface. You wouldn't set your state-policy to this, but each > > individual rule would use if-bound to prevent traffic from going out > > your egress when an IPsec SA is removed/expires before the state is > > removed/expires (think isakmpd and the various reasons an SA can disappear). > > that is indeed one case. wether you really want ifbound for ipsec or not > depends on teh setup, you have to think it through on a case-by-case > basis. > > the otehr case is so bizarre that I forgot the details. basically a > case where a packet goes thru the stack 3 times instead of 2 with the > normal forwarding. I think you could trigger that with very very very > very very strange use of the evil route-to (which should be avoided > wherever possible in the first place). > Everything that moves through your stack multiple times need if-bound states or no statesi at all. I use multiple qemus with bridge(4) that show the same problem and yes, this is a very bizarre setup. The other case where you may need if-bound states is when doing NAT in a multipath setup. This is another uncommon setup and you may get away with non if-bound states. -- :wq Claudio
Re: Help! I'm having Linux foisted on me! (PF queuing woes)
* Brian <[EMAIL PROTECTED]> [2007-10-22 20:39]: > Joshua Smith wrote: > > Out of curiosity what are these two extremely rare cases? > [snip] > > One example off the top of my head (and ipsec.conf(5)) is the enc0 > interface. You wouldn't set your state-policy to this, but each > individual rule would use if-bound to prevent traffic from going out > your egress when an IPsec SA is removed/expires before the state is > removed/expires (think isakmpd and the various reasons an SA can disappear). that is indeed one case. wether you really want ifbound for ipsec or not depends on teh setup, you have to think it through on a case-by-case basis. the otehr case is so bizarre that I forgot the details. basically a case where a packet goes thru the stack 3 times instead of 2 with the normal forwarding. I think you could trigger that with very very very very very strange use of the evil route-to (which should be avoided wherever possible in the first place). -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Help! I'm having Linux foisted on me! (PF queuing woes)
Joshua Smith wrote: > Out of curiosity what are these two extremely rare cases? [snip] One example off the top of my head (and ipsec.conf(5)) is the enc0 interface. You wouldn't set your state-policy to this, but each individual rule would use if-bound to prevent traffic from going out your egress when an IPsec SA is removed/expires before the state is removed/expires (think isakmpd and the various reasons an SA can disappear). Of course, if I am wrong and if-bound shouldn't be used in this case, ipsec.conf(5) should be updated appropriately. -Brian [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Help! I'm having Linux foisted on me! (PF queuing woes)
On 10/19/07, Richard Wilson <[EMAIL PROTECTED]> wrote:
> altq on $ext_if cbq bandwidth 9.1Mb queue { adsl_up, sdsl_up }
> altq on $client_if cbq bandwidth 9.1Mb queue { adsl_dn, sdsl_dn }
You probably don't want to use cbq for clients, use hfsc instead.
Unless you enjoy complaints from clients who aren't getting the
bandwidth they expect.
> #ADSL Clients
> pass in on $client_if from $adsl_client1_net to any queue adsl_client1_up
> pass out on $client_if from any to $adsl_client1_net queue adsl_client1_dn
> pass in on $client_if from $adsl_client2_net to any queue adsl_client2_up
> pass in on $client_if from any to $adsl_client2_net queue adsl_client2_dn
Since you keep state (the default) you want to assign on the external
interface too, otherwise connections initiated from the "outside"
won't be assigned the correct queue.
---
Lars Hansson
Re: Help! I'm having Linux foisted on me! (PF queuing woes)
Out of curiosity what are these two extremely rare cases? Thanks, -Josh On 10/20/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > * Joshua Smith <[EMAIL PROTECTED]> [2007-10-20 13:05]: > > Slightly OT, so feel free to move this to a new thread, but exactly > > what would you use ifbound states to achieve? > > there are two extremely rare cases I am aware of, so the general rule > is: YOU DON'T. > > -- > Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Help! I'm having Linux foisted on me! (PF queuing woes)
* Joshua Smith <[EMAIL PROTECTED]> [2007-10-20 13:05]: > Slightly OT, so feel free to move this to a new thread, but exactly > what would you use ifbound states to achieve? there are two extremely rare cases I am aware of, so the general rule is: YOU DON'T. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Help! I'm having Linux foisted on me! (PF queuing woes)
Slightly OT, so feel free to move this to a new thread, but exactly what would you use ifbound states to achieve? Thanks, Josh On 10/20/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > * Joe Gibbens <[EMAIL PROTECTED]> [2007-10-20 02:03]: > > As Sebastian pointed out, you will need to do some state manipulation to > > apply your traffic flows to an up and down queue. You can also do this by > > setting your state-policy to be if-bound. > > it is 'advice' like this that makes me wanna remove ifbound states > completely. > they have nothing to do with it. > > -- > Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Help! I'm having Linux foisted on me! (PF queuing woes)
* Joe Gibbens <[EMAIL PROTECTED]> [2007-10-20 02:03]: > As Sebastian pointed out, you will need to do some state manipulation to > apply your traffic flows to an up and down queue. You can also do this by > setting your state-policy to be if-bound. it is 'advice' like this that makes me wanna remove ifbound states completely. they have nothing to do with it. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Help! I'm having Linux foisted on me! (PF queuing woes)
As Sebastian pointed out, you will need to do some state manipulation to
apply your traffic flows to an up and down queue. You can also do this by
setting your state-policy to be if-bound.
On 10/19/07, Richard Wilson <[EMAIL PROTECTED]> wrote:
>
> n0g0013 wrote:
> > On 19.10-15:15, Richard Wilson wrote:
> > [ ... ]
> >> altq on $ext_if cbq bandwidth 9.1Mb queue { adsl_up, sdsl_up }
> >> altq on $client_if cbq bandwidth 9.1Mb queue { adsl_dn, sdsl_dn }
> >>
> >> queue adsl_up bandwidth 256Kb cbq
> >> queue adsl_dn bandwidth 2Mb cbq
> >
> > is there a reason that these have no child queues defined? i don't
> > see how the implied child queues can borrow without that.
> >
>
> Yes, because I've copied them down wrong. They should of course be:
>
> queue adsl_up bandwidth 256Kb cbq { adsl_client1_up, adsl_client2_up }
> queue adsl_dn bandwidth 2Mb cbq { adsl_client1_dn, adsl_client2_dn }
>
> etc.
>
> Sorry for the glitch.
>
> --
>
> Richard 'Dave' Wilson
> Systems Administrator
>
> Senokian Solutions Ltd.
> Business Innovation Centre,
> Binley Business Park, Coventry,
> United Kingdom
> CV3 2TX
> T: +44 (0)24 76 233 400
> F: +44 (0)24 76 233 401
>
>
--
Joe
Re: Help! I'm having Linux foisted on me! (PF queuing woes)
n0g0013 wrote:
> On 19.10-15:15, Richard Wilson wrote:
> [ ... ]
>> altq on $ext_if cbq bandwidth 9.1Mb queue { adsl_up, sdsl_up }
>> altq on $client_if cbq bandwidth 9.1Mb queue { adsl_dn, sdsl_dn }
>>
>> queue adsl_up bandwidth 256Kb cbq
>> queue adsl_dn bandwidth 2Mb cbq
>
> is there a reason that these have no child queues defined? i don't
> see how the implied child queues can borrow without that.
>
Yes, because I've copied them down wrong. They should of course be:
queue adsl_up bandwidth 256Kb cbq { adsl_client1_up, adsl_client2_up }
queue adsl_dn bandwidth 2Mb cbq { adsl_client1_dn, adsl_client2_dn }
etc.
Sorry for the glitch.
--
Richard 'Dave' Wilson
Systems Administrator
Senokian Solutions Ltd.
Business Innovation Centre,
Binley Business Park, Coventry,
United Kingdom
CV3 2TX
T: +44 (0)24 76 233 400
F: +44 (0)24 76 233 401
Re: Help! I'm having Linux foisted on me! (PF queuing woes)
On Fri, Oct 19, 2007 at 03:15:03PM +0100, Richard Wilson wrote: > I appeal to the PF masters for some education on how to do something, > because if I can't work out how to do it using PF, I'll have to do it > with iptables. Eep! [snip the details] > That's about it really. If I can get it to work, I can persuade the boss > to let me keep running everything off OpenBSD. If not, I'll have to wrap > my head round iptables syntax, as apparently the boss 'Used to do it on > Red Hat and everything worked fine.' Eugh. > If in the end, you do have to use iptables (either because you couldn't get PF to do it the way the boss wants or because the boss ends up _wanting_ iptables), you may want to look at shorewall. It builds iptables firewalls using syntax that is remarkably similar to PF; in that I'm new to OpenBSD but come from Debian and could never get my head around iptables. I used shorewall in Debian and found that based on that, the PF manual both made sense and the concepts were similar. Doug.
Re: Help! I'm having Linux foisted on me! (PF queuing woes)
Richard Wilson([EMAIL PROTECTED]) on 2007.10.19 15:15:03 +:
> What I want to do:
> Provide 2Mb down/256Kb up ADSL-like service, contended at 20 to one.
> Provide 2Mb down/2Mb up SDSL-like service, contended at 10 to one.
> By contention, I mean that to take the ADSL as the example, each client
> should be guaranteed 100Kbps downstream, and 13Kbps upstream, but then
> fights on an equal footing with everyone else in their group for the
> remainder of the 2Mb/256Kb.
As n0g0013 noted, you left out the child queues:
altq on $ext_ifcbq bandwidth 9.1Mb queue { adsl_up }
altq on $client_if cbq bandwidth 9.1Mb queue { adsl_dn }
queue adsl_up bandwidth 256Kb cbq(default) { adsl_client1_up, adsl_client2_up }
queue adsl_dn bandwidth 2Mb cbq(default) { adsl_client1_dn, adsl_client2_dn }
queue adsl_client1_up bandwidth 13Kb cbq (borrow)
queue adsl_client1_dn bandwidth 100Kb cbq (borrow)
queue adsl_client2_up bandwidth 13Kb cbq (borrow)
queue adsl_client2_dn bandwidth 100Kb cbq (borrow)
pass out on $ext_if from $adsl_client1 queue adsl_client1_up
pass out on $client_if to $adsl_client1 queue adsl_client1_dn
Now running the risk of writing crap, but i think that you then run into
this problem:
if you use "keep state" (which is implicit nowadays), the packets coming
back in will be processed according to the queue associated with the state
of that connection. i.e. a connection that was opened by a client will get
the queue adsl_client1_up. This queue does nothing for your download speed,
because it is not working on your $client_if, so you will instead be
assigned the default speed of 2Mb on your download-link.
You can solve this by either not using states _or_ by using only symetric
speeds, i.e.
altq on $ext_ifcbq bandwidth 9.1Mb queue { dsl }
altq on $client_if cbq bandwidth 9.1Mb queue { dsl }
queue dsl_up bandwidth 2Mb cbq(default) { client1, client2 }
queue client1 bandwidth 100Kb cbq (borrow)
/Benno
--
Sebastian Benoit <[EMAIL PROTECTED]>
Re: Help! I'm having Linux foisted on me! (PF queuing woes)
On 19.10-15:15, Richard Wilson wrote:
[ ... ]
> altq on $ext_if cbq bandwidth 9.1Mb queue { adsl_up, sdsl_up }
> altq on $client_if cbq bandwidth 9.1Mb queue { adsl_dn, sdsl_dn }
>
> queue adsl_up bandwidth 256Kb cbq
> queue adsl_dn bandwidth 2Mb cbq
is there a reason that these have no child queues defined? i don't
see how the implied child queues can borrow without that.
--
t
t
w
Help! I'm having Linux foisted on me! (PF queuing woes)
I appeal to the PF masters for some education on how to do something,
because if I can't work out how to do it using PF, I'll have to do it
with iptables. Eep!
We are a small hosting company in a managed building, and we present
ADSL/SDSL-like service over ethernet to other companies in the building,
to capitalise on some of the spare capacity on our 10Mb leased line.
What I want to do:
Provide 2Mb down/256Kb up ADSL-like service, contended at 20 to one.
Provide 2Mb down/2Mb up SDSL-like service, contended at 10 to one.
By contention, I mean that to take the ADSL as the example, each client
should be guaranteed 100Kbps downstream, and 13Kbps upstream, but then
fights on an equal footing with everyone else in their group for the
remainder of the 2Mb/256Kb.
I have tried the following sort of configuration, but the clients never
seem to successfully borrow up to the capacity of their contention
block. I am aware that it is incomplete, lacks a default, etc, I'm just
trying to give an idea of what I've done with the DSL bits.
altq on $ext_if cbq bandwidth 9.1Mb queue { adsl_up, sdsl_up }
altq on $client_if cbq bandwidth 9.1Mb queue { adsl_dn, sdsl_dn }
queue adsl_up bandwidth 256Kb cbq
queue adsl_dn bandwidth 2Mb cbq
queue sdsl_up bandwidth 2Mb cbq
queue sdsl_dn bandwidth 2Mb cbq
queue adsl_client1_up bandwidth 13Kb cbq (borrow)
queue adsl_client1_dn bandwidth 100Kb cbq (borrow)
queue adsl_client2_up bandwidth 13Kb cbq (borrow)
queue adsl_client2_dn bandwidth 100Kb cbq (borrow)
queue sdsl_client1_up bandwidth 100Kb cbq (borrow)
queue sdsl_client1_dn bandwidth 100Kb cbq (borrow)
queue sdsl_client2_up bandwidth 100Kb cbq (borrow)
queue sdsl_client2_dn bandwidth 100Kb cbq (borrow)
#ADSL Clients
pass in on $client_if from $adsl_client1_net to any queue adsl_client1_up
pass out on $client_if from any to $adsl_client1_net queue adsl_client1_dn
pass in on $client_if from $adsl_client2_net to any queue adsl_client2_up
pass in on $client_if from any to $adsl_client2_net queue adsl_client2_dn
And so on, I don't need to waste your time with a huge email of slightly
different repeated lines :-)
That's about it really. If I can get it to work, I can persuade the boss
to let me keep running everything off OpenBSD. If not, I'll have to wrap
my head round iptables syntax, as apparently the boss 'Used to do it on
Red Hat and everything worked fine.' Eugh.
--
Richard 'Dave' Wilson
Systems Administrator
Senokian Solutions Ltd.
Business Innovation Centre,
Binley Business Park, Coventry,
United Kingdom
CV3 2TX
T: +44 (0)24 76 233 400
F: +44 (0)24 76 233 401
