Re: PF/ALTQ problem : using max states limits breaks queueing

2007-11-07 Thread NetOne - Doichin Dokov 

NetOne - Doichin Dokov P=P0P?P8QP0:

Henning Brauer P=P0P?P8QP0:

* NetOne - Doichin Dokov <[EMAIL PROTECTED]> [2007-11-07 01:57]:
 

Hello,

I have an OpenBSD 4.2 box set up to shape clients traffic. Each 
client gets limited by these 4 rules:


pass in on $int_if from $client_ip to any queue client_in
pass out on $int_if from any to $client_ip queue client_out
pass in on $ext_if from any to $client_ip queue client_out
pass out on $ext_if from $client_ip to any queue client_in

Everything works fine. I now want to limit max states created by 
each client in each direction to 300, so i modified the rules to be:


pass in on $int_if from $client_ip to any (max 300) queue client_in



when a packet matches this rule, but there are already 300 states 
from this rule, the result is a non-match. you need to decide what to 
do with excess states and put rules in. it could be sth like


block from $a to $b
pass  from $a to $b keep state (max 300)

to block 'em.

  

Yup, I gueesed I was wrong with something :) Thank you very much for the
clarification. I'll test and report back later. I guess if it is this
way, though, the documentation needs to be fixed.
That's what the FAQ says here:
http://www.openbsd.org/faq/pf/filter.html#stateopts

max /number/
   Limit the maximum number of state entries the rule can create to
   /number/. If the maximum is reached, packets that would normally
   create state are *dropped* until the number of existing states
   decreases.

Regards,
Doichin

P.S. Henning Brauer: I first submitted this message directly to you 
instead of misc@, please excuse me for getting this twice.


Because I have no explicit block for traffic on top of the ruleset 
(because this machine is merely used for routing&shaping only), doing 
this achieves what i want:

 block on $if from $a to $b flags any
 pass on $if from $a to $b keep state (max 300) queue $queue

Though, I still see some unexpected behavior, e.g. doing this after 
loading the ruleset:

 echo "set limit states 10" | pfctl -mf -
seems to again make the traffic not limited (dunno why), but pfctl -F 
all -f /etc/pf.conf fixed it.

Re: PF/ALTQ problem : using max states limits breaks queueing

2007-11-07 Thread NetOne - Doichin Dokov 

Henning Brauer P=P0P?P8QP0:

* NetOne - Doichin Dokov <[EMAIL PROTECTED]> [2007-11-07 01:57]:
  

Hello,

I have an OpenBSD 4.2 box set up to shape clients traffic. Each client gets 
limited by these 4 rules:


pass in on $int_if from $client_ip to any queue client_in
pass out on $int_if from any to $client_ip queue client_out
pass in on $ext_if from any to $client_ip queue client_out
pass out on $ext_if from $client_ip to any queue client_in

Everything works fine. I now want to limit max states created by each 
client in each direction to 300, so i modified the rules to be:


pass in on $int_if from $client_ip to any (max 300) queue client_in



when a packet matches this rule, but there are already 300 states from 
this rule, the result is a non-match. you need to decide what to do 
with excess states and put rules in. it could be sth like


block from $a to $b
pass  from $a to $b keep state (max 300)

to block 'em.

  

Yup, I gueesed I was wrong with something :) Thank you very much for the
clarification. I'll test and report back later. I guess if it is this
way, though, the documentation needs to be fixed.
That's what the FAQ says here:
http://www.openbsd.org/faq/pf/filter.html#stateopts

max /number/
   Limit the maximum number of state entries the rule can create to
   /number/. If the maximum is reached, packets that would normally
   create state are *dropped* until the number of existing states
   decreases.

Regards,
Doichin

P.S. Henning Brauer: I first submitted this message directly to you 
instead of misc@, please excuse me for getting this twice.

Re: PF/ALTQ problem : using max states limits breaks queueing

2007-11-07 Thread Henning Brauer 
* NetOne - Doichin Dokov <[EMAIL PROTECTED]> [2007-11-07 01:57]:
> Hello,
>
> I have an OpenBSD 4.2 box set up to shape clients traffic. Each client gets 
> limited by these 4 rules:
>
> pass in on $int_if from $client_ip to any queue client_in
> pass out on $int_if from any to $client_ip queue client_out
> pass in on $ext_if from any to $client_ip queue client_out
> pass out on $ext_if from $client_ip to any queue client_in
>
> Everything works fine. I now want to limit max states created by each 
> client in each direction to 300, so i modified the rules to be:
>
> pass in on $int_if from $client_ip to any (max 300) queue client_in

when a packet matches this rule, but there are already 300 states from 
this rule, the result is a non-match. you need to decide what to do 
with excess states and put rules in. it could be sth like

block from $a to $b
pass  from $a to $b keep state (max 300)

to block 'em.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

pf+altq problem

2006-10-11 Thread Reza Muhammad 
Dear list. 

My pf.conf  not working.
I have pf in bridge machine with xl2 to internet
firewall and xl1 to
internal switch. Bridging is ok.

This my simple pf.conf

me="172.16.0.228"
altq on xl1 bandwidth 100% cbq queue {me,dflt}

queue mebandwidth 8Kb
queue dflt  bandwidth 16Kb cbq  (default)


block log on {xl1,xl2} all

pass out log on xl1 from $me to any  keep state
pass log on xl2 from $me to any keep state queue (me)


This rule is match when i try to connect to iperf
server 

# tcpdump -nett -i pflog0 | grep 172.16.0.228
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG
1160655756.150048 rule 3/(match) pass in on xl2:
172.16.0.228.44405 >
128.6.231.102.5001: [|tcp] (DF)
1160655756.150059 rule 2/(match) pass out on xl1:
172.16.0.228.44405 >
128.6.231.102.5001: [|tcp] (DF)

But iperf tell me that this connection is 24.4
Kbits/Sec. (more than 8Kbps)

[EMAIL PROTECTED] beastie]# iperf -c lss.rutgers.edu

Client connecting to lss.rutgers.edu, TCP port 5001
TCP window size: 16.0 KByte (default)

[  3] local 172.16.0.228 port 44408 connected with
128.6.231.102 port
5001
[  3]  0.0-16.1 sec  48.0 KBytes  24.4 Kbits/sec


I'm expecting that iperf report it equal with the
bandwidth that i assign to (me) queue pipe.
Is there any thing wrong or i missed something here
???
Please help me

regards
Reza
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com