Hello,
I'm setting up some queue discipline on one firewall, and I'm facing a
strange problem: the rules aren't assigning the packets to the correct
queue. As you can see below, they are going to inexistent qids, and
are ending in default queues.
I use this setup with assymetrical links, and it has been OK since
OpenBSD 3.9. As I'm setting up queues in OpenBSD 4.5 for the first
time, I found out it was working as it used to.
fmbraga:14$ sudo pfctl -g -sq
queue root_rl0 on rl0 bandwidth 100Mb priority 0 {speedy-up}
[ qid=1 ifname=rl0 ifbandwidth=100Mb ]
queue speedy-up on rl0 bandwidth 300Kb hfsc( red ecn realtime 300Kb
upperlimit 300Kb ) {Q-pri, Q-icmp, Q-voip, Q-biz, Q-ts, Q-http,
Q-mail, Q-def}
[ qid=16 ifname=rl0 ifbandwidth=100Mb ]
queue Q-pri on rl0 bandwidth 54Kb priority 7 hfsc( realtime 13Kb )
[ qid=5 ifname=rl0 ifbandwidth=100Mb ]
queue Q-icmp on rl0 bandwidth 13Kb priority 7 hfsc( realtime 13Kb )
[ qid=6 ifname=rl0 ifbandwidth=100Mb ]
queue Q-voip on rl0 bandwidth 54Kb priority 6 hfsc( realtime 54Kb )
[ qid=7 ifname=rl0 ifbandwidth=100Mb ]
queue Q-biz on rl0 bandwidth 54Kb priority 6 hfsc( realtime 13Kb )
[ qid=8 ifname=rl0 ifbandwidth=100Mb ]
queue Q-ts on rl0 bandwidth 27Kb priority 5 hfsc( realtime 13Kb )
[ qid=9 ifname=rl0 ifbandwidth=100Mb ]
queue Q-http on rl0 bandwidth 54Kb priority 4 hfsc( realtime 13Kb )
[ qid=10 ifname=rl0 ifbandwidth=100Mb ]
queue Q-mail on rl0 bandwidth 27Kb priority 4 hfsc( realtime 13Kb )
[ qid=11 ifname=rl0 ifbandwidth=100Mb ]
queue Q-def on rl0 bandwidth 13Kb priority 0 hfsc( default )
[ qid=12 ifname=rl0 ifbandwidth=100Mb ]
queue root_sis0 on sis0 bandwidth 100Mb priority 0 {local, speedy-dn}
[ qid=2 ifname=sis0 ifbandwidth=100Mb ]
queue local on sis0 bandwidth 90Mb
[ qid=3 ifname=sis0 ifbandwidth=100Mb ]
queue speedy-dn on sis0 bandwidth 1.20Mb hfsc( red ecn realtime
1.20Mb upperlimit 1.20Mb ) {Q-pri, Q-icmp, Q-voip, Q-biz, Q-ts,
Q-http, Q-mail, Q-def}
[ qid=15 ifname=sis0 ifbandwidth=100Mb ]
queue Q-pri on sis0 bandwidth 54Kb priority 7 hfsc( realtime 13Kb )
[ qid=5 ifname=sis0 ifbandwidth=100Mb ]
queue Q-icmp on sis0 bandwidth 13Kb priority 7 hfsc( realtime 13Kb )
[ qid=6 ifname=sis0 ifbandwidth=100Mb ]
queue Q-voip on sis0 bandwidth 54Kb priority 6 hfsc( realtime 54Kb )
[ qid=7 ifname=sis0 ifbandwidth=100Mb ]
queue Q-biz on sis0 bandwidth 54Kb priority 6 hfsc( realtime 13Kb )
[ qid=8 ifname=sis0 ifbandwidth=100Mb ]
queue Q-ts on sis0 bandwidth 27Kb priority 5 hfsc( realtime 13Kb )
[ qid=9 ifname=sis0 ifbandwidth=100Mb ]
queue Q-http on sis0 bandwidth 54Kb priority 4 hfsc( realtime 13Kb )
[ qid=10 ifname=sis0 ifbandwidth=100Mb ]
queue Q-mail on sis0 bandwidth 27Kb priority 4 hfsc( realtime 13Kb )
[ qid=11 ifname=sis0 ifbandwidth=100Mb ]
queue Q-def on sis0 bandwidth 13Kb priority 0 hfsc( default )
[ qid=12 ifname=sis0 ifbandwidth=100Mb ]
fmbraga:15$
fmbraga:16$ sudo pfctl -g -sr
@0 scrub in all fragment reassemble
[ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
[ queue: qname= qid=0 pqname= pqid=0 ]
@0 block drop log all
[ Skip steps: p=9 sp=end da=11 dp=10 ]
[ queue: qname= qid=0 pqname= pqid=0 ]
@1 block drop in quick on ! lo inet from 127.0.0.0/8 to any
[ Skip steps: d=8 f=8 p=9 sp=end da=11 dp=10 ]
[ queue: qname= qid=0 pqname= pqid=0 ]
@2 block drop in quick on ! sis0 inet from 172.16.8.0/24 to any
[ Skip steps: i=7 d=8 f=8 p=9 sp=end da=11 dp=10 ]
[ queue: qname= qid=0 pqname= pqid=0 ]
@3 block drop in quick on ! sis0 inet from 172.16.6.0/24 to any
[ Skip steps: i=7 d=8 f=8 p=9 sp=end da=11 dp=10 ]
[ queue: qname= qid=0 pqname= pqid=0 ]
@4 block drop in quick on ! sis0 inet from 172.16.12.0/24 to any
[ Skip steps: i=7 d=8 f=8 p=9 sp=end da=11 dp=10 ]
[ queue: qname= qid=0 pqname= pqid=0 ]
@5 block drop in quick on ! sis0 inet from 172.16.14.0/24 to any
[ Skip steps: i=7 d=8 f=8 p=9 sp=end da=11 dp=10 ]
[ queue: qname= qid=0 pqname= pqid=0 ]
@6 block drop in quick on ! sis0 inet from 172.16.15.0/24 to any
[ Skip steps: d=8 f=8 p=9 sp=end da=11 dp=10 ]
[ queue: qname= qid=0 pqname= pqid=0 ]
@7 block drop in quick inet from <__automatic_b3f9a813_0:6> to any
[ Skip steps: i=11 p=9 sp=end da=11 dp=10 ]
[ queue: qname= qid=0 pqname= pqid=0 ]
@8 pass out all flags S/SA keep state
[ Skip steps: i=11 d=12 f=11 sa=11 sp=end da=11 dp=10 ]
[ queue: qname= qid=0 pqname= pqid=0 ]
@9 pass out proto tcp all user = 515 flags S/SA keep state queue(q-http, q-pri)
[ Skip steps: i=11 d=12 f=11 p=11 sa=11 sp=end da=11 ]
[ queue: qname=q-http qid=4 pqname=q-pri pqid=14 ]
@10 pass out proto tcp from any to any port = www flags S/SA keep
state queue(q-http, q-pri)
[ Skip steps: d=12 sp=end ]
[ queue: qname=q-http qid=4 pqname=q-pri pqid=14 ]
@11 pass out on sis0 inet from 172.16.0.0/16 to 172.16.0.0/16 no state
queue q-local
[ Skip steps: sp=end ]
[ queue: qname=q-local qid=17 pqname= pqid=17 ]
@12 pass in on rl0 proto tcp from any to (rl0:2) port = ssh flags S/SA
keep state queue(q-def, q-pri)
[ Skip steps: i=14 d=21 f=14 p=14 sa=15 sp=end da=14 ]
[ queue: qname=q-def qid=18 pqname=q-pri pqid=14 ]
@13 pass in on rl0 proto tcp from any to (rl0:2) port > 49151 user =
71 flags S/SA keep state queue(q-http, q-pri)
[ Skip steps: d=21 sa=15 sp=end ]
[ queue: qname=q-http qid=4 pqname=q-pri pqid=14 ]
@14 pass in on sis0 inet from any to ! 172.16.0.0/16 flags S/SA keep
state queue(q-def, q-pri)
[ Skip steps: i=21 d=21 p=16 sp=end dp=16 ]
[ queue: qname=q-def qid=18 pqname=q-pri pqid=14 ]
@15 pass in on sis0 from <atas:4> to any flags S/SA keep state
queue(q-voip, q-pri)
[ Skip steps: i=21 d=21 f=20 sp=end da=20 ]
[ queue: qname=q-voip qid=13 pqname=q-pri pqid=14 ]
@16 pass in on sis0 proto tcp from any to any port = www flags S/SA
keep state queue(q-http, q-pri)
[ Skip steps: i=21 d=21 f=20 p=20 sa=end sp=end da=20 ]
[ queue: qname=q-http qid=4 pqname=q-pri pqid=14 ]
@17 pass in on sis0 proto tcp from any to any port = 3128 flags S/SA
keep state queue(q-http, q-pri)
[ Skip steps: i=21 d=21 f=20 p=20 sa=end sp=end da=20 ]
[ queue: qname=q-http qid=4 pqname=q-pri pqid=14 ]
@18 pass in on sis0 proto tcp from any to any port = https flags S/SA
keep state queue(q-biz, q-pri)
[ Skip steps: i=21 d=21 f=20 p=20 sa=end sp=end da=20 ]
[ queue: qname=q-biz qid=19 pqname=q-pri pqid=14 ]
@19 pass in on sis0 proto tcp from any to any port = ssh flags S/SA
keep state queue(q-def, q-pri)
[ Skip steps: i=21 d=21 sa=end sp=end ]
[ queue: qname=q-def qid=18 pqname=q-pri pqid=14 ]
@20 pass in quick on sis0 inet from any to 172.16.0.0/16 no state queue q-local
[ Skip steps: p=end sa=end sp=end dp=end ]
[ queue: qname=q-local qid=17 pqname= pqid=17 ]
@21 anchor "ftp-proxy/*" all
[ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
[ queue: qname= qid=0 pqname= pqid=0 ]
@22 anchor "authpf/*" all
[ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
[ queue: qname= qid=0 pqname= pqid=0 ]
fmbraga:17$
If you need, I can provide a similar (and working) setup running in OpenBSD 4.1.
Best regards,
--
Fernando M. Braga
+55 82 9985-4579
