[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PF priq queue headache
- To: misc <misc@openbsd.org>
- Subject: PF priq queue headache
- From: Chris Zakelj <c.zakelj@ieee.org>
- Date: Tue, 01 Feb 2005 12:01:32 -0500
- User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
I'm trying to get a little more fine-grained on my outbound queues, but
I'm having difficulty achieving my next objective, which is to place all
p2p traffic in the lowest priority queue. I know the open inbound ports
are in the 9980-9999 range, but the magic bullet eludes me. Here's
pf.conf as it currently stands:
# Define interfaces and rooms
int_if = "rl0"
ext_if = "tun0"
north = "192.168.0.15"
south = "192.168.0.10"
center = "192.168.0.20"
# RFC1918
priv_nets = "{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
# Those wonderful scrubbing bubbles
scrub in all
# Queueing
# TCP/ACK frames get first dibs, followed by webserver, DNS lookups, and
# the unwashed masses. p2p goes last.
altq on $ext_if priq bandwidth 256Kb queue { torrent, std_out, web_req,
dns_out, web_server, tcp_ack_out }
queue torrent priq(default)
queue std_out priority 7
queue web_req priority 8
queue dns_out priority 9
queue web_server priority 10
queue tcp_ack_out priority 15
# The downstream is 1900kb, Everyone gets 600Kb regardless,
# and can get more when nobody else wants theirs.
altq on $int_if cbq bandwidth 100Mb queue { trash, other, north, center,
south }
queue trash cbq(default)
queue other bandwidth 6Kb cbq(borrow)
queue north bandwidth 600Kb cbq(borrow)
queue center bandwidth 600Kb cbq(borrow)
queue south bandwidth 600Kb cbq(borrow)
# NAT/RDR directives
nat on $ext_if from $int_if:network to any -> ($ext_if:0) static-port
rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr pass on $ext_if proto { tcp, udp } from any to any port 6081 ->
$south port 6081
rdr on $ext_if proto { tcp, udp } from any to any port 9980:9989 ->
$south port 9980:*
rdr on $ext_if proto tcp from any to any port 9990:9999 -> $center port
9990:*
# Filtering begins
block drop log all
# Local machine stuff
pass quick on lo0 all
# Clean invalid SRC/DST packets
block in quick on $ext_if from $priv_nets to any
block out quick on $ext_if from any to $priv_nets
# Pass in allowed servers
# pass in on $ext_if proto tcp from any to ($ext_if) port ssh flags S/SA
keep state
pass in on $ext_if proto tcp from any to ($ext_if) port 80 flags S/SA
keep state queue web_server
pass in on $ext_if proto tcp from any to ($ext_if) user proxy keep state
pass in on $ext_if proto tcp from any to ($ext_if) port 9980:9999 keep
state queue torrent
# Out to the 'net
pass out on $ext_if from ($ext_if) to any modulate state queue(std_out,
tcp_ack_out)
pass out on $ext_if proto tcp from ($ext_if) to any port { http, https }
modulate state queue (web_req, tcp_ack_out)
pass out on $ext_if proto { udp icmp } from ($ext_if) to any keep state
queue std_out
pass out on $ext_if proto { tcp udp } from ($ext_if) to any port domain
modulate state queue dns_out
pass out on $ext_if proto tcp from ($ext_if) to any user www modulate
state queue web_server
pass out on $ext_if proto tcp from ($ext_if) to any port 9980:9999
modulate state queue torrent
# Internal queueing
pass out on $int_if from any to $int_if:network
pass in quick on $int_if from $north to any keep state queue north
pass in quick on $int_if from $south to any keep state queue south
pass in quick on $int_if from $center to any keep state queue center
pass in on $int_if from any to any keep state queue other
I'd have thought that since I'm using static-port on my NAT rule, either
of the 'queue torrent' rules would work, but watching -vvsq says
otherwise...
queue torrent priq( default )
[ pkts: 0 bytes: 0 dropped pkts: 0
bytes: 0 ]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue std_out priority 7
[ pkts: 3694 bytes: 2985977 dropped pkts: 166 bytes:
147152 ]
[ qlength: 9/ 50 ]
[ measured: 36.3 packets/s, 246.11Kb/s ]
queue web_req priority 8
[ pkts: 15 bytes: 5066 dropped pkts: 0
bytes: 0 ]
[ qlength: 0/ 50 ]
[ measured: 0.1 packets/s, 285.82 b/s ]
queue dns_out priority 9
[ pkts: 9 bytes: 656 dropped pkts: 0
bytes: 0 ]
[ qlength: 0/ 50 ]
[ measured: 0.1 packets/s, 36.59 b/s ]
queue web_server priority 10
[ pkts: 0 bytes: 0 dropped pkts: 0
bytes: 0 ]
[ qlength: 0/ 50 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue tcp_ack_out priority 15
[ pkts: 931 bytes: 41588 dropped pkts: 0
bytes: 0 ]
[ qlength: 0/ 50 ]
[ measured: 9.7 packets/s, 3.46Kb/s ]
queue root_rl0 bandwidth 100Mb priority 0 cbq( wrr root ) {trash, other,
north,
center, south}
[ pkts: 3483 bytes: 913591 dropped pkts: 0
bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 37.2 packets/s, 81.47Kb/s ]
queue trash bandwidth 100Mb cbq( default )
[ pkts: 51 bytes: 2754 dropped pkts: 0
bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 0.3 packets/s, 123.20 b/s ]
queue other bandwidth 6Kb cbq( borrow )
[ pkts: 0 bytes: 0 dropped pkts: 0
bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 0.0 packets/s, 0 b/s ]
queue north bandwidth 600Kb cbq( borrow )
[ pkts: 85 bytes: 13392 dropped pkts: 0
bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 0.7 packets/s, 688.04 b/s ]
queue center bandwidth 600Kb cbq( borrow )
[ pkts: 3314 bytes: 890335 dropped pkts: 0
bytes: 0 ]
[ qlength: 0/ 50 borrows: 178 suspends: 0 ]
[ measured: 36.0 packets/s, 80.42Kb/s ]
queue south bandwidth 600Kb cbq( borrow )
[ pkts: 33 bytes: 7110 dropped pkts: 0
bytes: 0 ]
[ qlength: 0/ 50 borrows: 0 suspends: 0 ]
[ measured: 0.1 packets/s, 236.02 b/s ]
I'm obviously missing something, but I'm at a loss as to what. Ideas
anybody?