[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New PF questions....

Dawid Zabrocki wrote:

> http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html (second match at google)
> http://www-2.cs.cmu.edu/~hzhang/HFSC/TALK/sld040.htm (see slides 40-45)
>
> i don't know more than it says there , never tried myself

These also gave me the feeling that HFSC is a sort of CBQ on steroids... 
perhaps best suited to tasks such as VoIP routers or backbone 
aggregators, where each ISP is granted guaranteed bandwidth?

>> 2.  ACK prioritization...  The user's guide always uses 'flags S/SA' 
>> to identify which packets should go out first,  but the man page 
>> implies that this statement means SYN set, ACK unset, don't care on 
>> the rest.  To me, that suggests that initial SYN packets are placed 
>> into the queue, but ACK packets aren't (which defeats the whole 
>> purpose, but goes against my -vvsq observations).  Again, the cry of 
>> "What am I missing?"
>
> you are right , but in those examples it's about what pass what not 
> ... not which packet put in which queue for prioretization ...
>
> man pf.conf:
> "pass in proto tcp to port 22 queue(ssh_bulk, ssh_prio)"
> "Packets can be assigned to queues based on filter rules by using the
>   queue keyword.  Normally only one queue is specified; when a second one
>   is specified it will instead be used for packets which have a TOS of
>   lowdelay and for TCP ACKs with no data payload."
>
> when u use "flags S/SA"  (for ex.  pass out proto tcp all flags S/SA 
> keep state)
> this rule match only those packets which start new connection.
> I think you will always want to use "flags S/SA" in state rules ....
>
> when u would use flags A/A you would mach all ACK
>
> when u use rule:
> pass ...... flags S/SA keep state queue( normal, prio)
> fist packet creates a state rule and then all packets from connection 
> are assignet to normal or prio ... (depending on TOS and flags)

So if I'm following correctly... using the rule

pass out on $ext_if from any to any port www flags S/SA keep state queue 
(data, ack)

where data is a bulk pool (priority 1) and ack the ack pool (priority 
15), the following happens...
1.  A computer on my network sends a SYN off to some webserver.  There 
is no state in the state table, so the rules are evaluated.  This is the 
last matching rule, and because it's a SYN, (and therefore not latency 
sensitive or an empty ACK) it is placed in the 'data' queue.
2.  The webserver sends back SYN+ACK.
3a.  The client sends back an empty ACK, but now, because state has been 
kept AND this is an empty ACK, it is placed into the 'ack' queue.  The 
'HTTP GET' packet that comes right after, though, matches state but not 
ACK, and so is placed in the 'data' queue.
3b.  Had I not kept state, the empty ACK would not have matched this 
rule at all (because it fails S/SA), so to get it out at the higher 
priorty (if at all), I'd need another rule at the very bottom that says 
something like

pass out on $ext_if from any to any flags A/A queue ack

Yes?  No?