From owner-freebsd-pf@FreeBSD.ORG Sun Jun 7 17:28:12 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 37B2B106566B for ; Sun, 7 Jun 2009 17:28:12 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from mx1.cujae.edu.cu (mx1.cujae.edu.cu [200.55.139.24]) by mx1.freebsd.org (Postfix) with ESMTP id 85DD18FC18 for ; Sun, 7 Jun 2009 17:28:09 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from newton.cujae.edu.cu (newton.cujae.edu.cu [10.8.1.69]) by mx1.cujae.edu.cu (Postfix) with ESMTP id 9B1D41AE03 for ; Sun, 7 Jun 2009 12:12:58 -0400 (EDT) Received: by newton.cujae.edu.cu (Postfix, from userid 1002) id E98851D50B7; Sun, 7 Jun 2009 13:42:40 -0400 (CDT) Received: from localhost (laplace.cujae.edu.cu [10.8.1.82]) by newton.cujae.edu.cu (Postfix) with ESMTP id 922181D50A6; Sun, 7 Jun 2009 13:42:39 -0400 (CDT) Received: from netmanager.cujae.edu.cu (netmanager.cujae.edu.cu [10.8.1.68]) by correo.cujae.edu.cu (Horde MIME library) with HTTP; Sun, 07 Jun 2009 13:27:51 -0400 Message-ID: <20090607132751.18wu3idnkgcgkss8@correo.cujae.edu.cu> Date: Sun, 07 Jun 2009 13:27:51 -0400 From: vila@tesla.cujae.edu.cu To: =?iso-8859-1?b?SXN0duFu?= References: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com> <20090606131545.kk8k1qf7a8oc4os8@correo.cujae.edu.cu> <20090606135250.3n87bzp88wc4kgk8@correo.cujae.edu.cu> <20090606142940.0c42ju9uswkg4w8s@correo.cujae.edu.cu> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.1) Cc: freebsd-pf@freebsd.org Subject: Re: Connmark target X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Jun 2009 17:28:12 -0000 Ok istvan, i=B4ll try this and post results. by the way, anyone knows if there are plans to include connection mark =20 capabilities to pf. i say this because until now is the only way i=B4ve found to solve my issue. if anybody knows another way to achieve the same goals, help is really =20 apriciated. thanks everyone, evelio vila Istv=E1n ha escrito: > Then we have to investigate the possibility to use those flags ;) > http://groups.google.com/group/bit.listserv.openbsd-pf/browse_thread/threa= d/dd04e046f70e8ebc# > > > Regards, > Istvan > > On Sat, Jun 6, 2009 at 7:29 PM, wrote: > >> unfortunately that would not help me because the whole traffic is all >> originated from a single IP address (proxy) so i can not distinguish betw= een >> them (that is why i use dscp marks) >> even if i could achieved this, there is still the issue about selecting >> incoming packets accordingly and direct them to inbound queues (for >> downlink traffic shapping). >> >> regards, >> evelio vila >> >> >> Istv=E1n ha escrito: >> >> I guess you might want to tag that dscp enabled packets -because pf has = no >>> support for that at the moment, at least i cannot see- and put them into >>> the >>> queue based on the tag. >>> http://www.openbsd.org/faq/pf/queueing.html#assign >>> >>> >>> Regards, >>> Istvan >>> >>> On Sat, Jun 6, 2009 at 6:52 PM, wrote: >>> >>> Istv=E1n ha escrito: >>>> >>>> Hi! >>>> >>>>> >>>>> In general it is a very bad idea to use the same way what you have bee= n >>>>> using before when you are moving to a new platform. You wouldn't use >>>>> bash >>>>> to >>>>> manage win2k8 servers, just to give you an example what I am talking >>>>> about. >>>>> >>>>> The question is: >>>>> >>>>> What do you want to do with pf. Forget about netfilter/conntrack and s= o >>>>> on. >>>>> What do you want to achieve? >>>>> >>>>> This is the only question. >>>>> >>>>> >>>>> Regards, >>>>> Istvan >>>>> >>>>> >>>> I believe you are righ istvan! >>>> >>>> this is the thing: >>>> >>>> I want to make some traffic shapping on both interfaces of a freebsd bo= x. >>>> As u all probably know the real congestion occurs generally on the >>>> downlink >>>> interface because of the asymmetric nature of some protocols (eg. http) >>>> >>>> on the internal network i have some applications that puts dscp tags to >>>> packets according to different classes of service. the uplink shapping >>>> can >>>> be done simply by mathing the corresponding dscp field of each connecti= on >>>> and sending to different queues. (by the way the doc i=B4ve read only >>>> presents >>>> TOS mathing and nothing about dscp).. >>>> anyway , the problem arises when the incoming traffic (from the interne= t) >>>> has no dscp tags and i need to enqueue then accordingly to make the >>>> downlink >>>> traffic shapping. >>>> >>>> regards, >>>> evelio vila >>>> >>>> >>>> >>>> >>>> >>>> >>>>> >>>>> On Sat, Jun 6, 2009 at 6:15 PM, wrote: >>>>> >>>>> Ermal Lu=E7i ha escrito: >>>>> >>>>>> >>>>>> >>>>>> On Sat, Jun 6, 2009 at 6:49 PM, wrote: >>>>>> >>>>>> >>>>>>> Vlad Galu ha escrito: >>>>>>> >>>>>>>> >>>>>>>> On Sat, Jun 6, 2009 at 5:57 AM, wrote: >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> Hi folks! >>>>>>>>>> >>>>>>>>>> I=B4m trying to figure out if there is a way to make connection >>>>>>>>>> marking >>>>>>>>>> in >>>>>>>>>> a >>>>>>>>>> similar way as the iptables=B4s CONNMARK target does? >>>>>>>>>> >>>>>>>>>> Does pf supports this feature? >>>>>>>>>> >>>>>>>>>> My intentions are to tag an outgoing packet, transfer the tag to >>>>>>>>>> the >>>>>>>>>> hole >>>>>>>>>> connection and then use that tag to mark incoming packets belongi= ng >>>>>>>>>> to >>>>>>>>>> the >>>>>>>>>> same connection. >>>>>>>>>> >>>>>>>>>> Also, i would like then to use that mark to enqueue marked packet= s >>>>>>>>>> to >>>>>>>>>> hfsc >>>>>>>>>> clases. >>>>>>>>>> >>>>>>>>>> I=B4ve done all of this in linux but never on freebsd, I=B4ve sea= rched >>>>>>>>>> in >>>>>>>>>> pf=B4s >>>>>>>>>> man page and the FAQ without success. >>>>>>>>>> >>>>>>>>>> thanks in advance, >>>>>>>>>> >>>>>>>>>> evelio vila >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hi evelio, see below: >>>>>>>>> -- cut here -- >>>>>>>>> tag >>>>>>>>> Packets matching this rule will be tagged with the specifi= ed >>>>>>>>> string. The tag acts as an internal marker that can be us= ed >>>>>>>>> to >>>>>>>>> identify these packets later on. This can be used, for >>>>>>>>> example, to >>>>>>>>> provide trust between interfaces and to determine if packe= ts >>>>>>>>> have >>>>>>>>> been processed by translation rules. Tags are "sticky", >>>>>>>>> meaning >>>>>>>>> that the packet will be tagged even if the rule is not the >>>>>>>>> last >>>>>>>>> matching rule. Further matching rules can replace the tag >>>>>>>>> with >>>>>>>>> a >>>>>>>>> new one but will not remove a previously applied tag. A >>>>>>>>> packet >>>>>>>>> is >>>>>>>>> only ever assigned one tag at a time. Packet tagging can = be >>>>>>>>> done >>>>>>>>> during nat, rdr, or binat rules in addition to filter rule= s. >>>>>>>>> Tags >>>>>>>>> take the same macros as labels (see above). >>>>>>>>> >>>>>>>>> tagged >>>>>>>>> Used with filter or translation rules to specify that >>>>>>>>> packets >>>>>>>>> must >>>>>>>>> already be tagged with the given tag in order to match the >>>>>>>>> rule. >>>>>>>>> Inverse tag matching can also be done by specifying the ! >>>>>>>>> operator >>>>>>>>> before the tagged keyword. >>>>>>>>> -- and here -- >>>>>>>>> >>>>>>>>> Anyway, I believe that keeping state for the desired outgoing >>>>>>>>> connections should be enough all by itself. You would simply add t= he >>>>>>>>> >>>>>>>>> >>>>>>>>> Indeed no, what i want is also to mark the connection to be able >>>>>>>> then >>>>>>>> to mark incoming packets beloging to the same connection. >>>>>>>> >>>>>>>> "queue " directive at the end of your pass out rule, even >>>>>>>> >>>>>>>> though the interface packets go out through is the "external" one, >>>>>>>>> and >>>>>>>>> you want to do shaping on the "internal" one but, as I understand, >>>>>>>>> for >>>>>>>>> that you also need floating (not if-bound) states. If I'm wrong, I= 'd >>>>>>>>> >>>>>>>>> >>>>>>>>> i am not sure what you mean with "floating (not if-bound) states" >>>>>>>> could you please explain this. >>>>>>>> >>>>>>>> >>>>>>>> like somebody with better pf knowledge to correct me :) >>>>>>>>> >>>>>>>>> >>>>>>>>> pf(4) is not iptables. So before using it read more about it. >>>>>>>> >>>>>>> >>>>>>> >>>>>>> I=B4m aware of that. >>>>>>> >>>>>> >>>>>> I think its pretty obvius that my post is simply trying to figure out >>>>>> how >>>>>> to achieve with pf something that i use to do with netfilter. >>>>>> >>>>>> I=B4ve read this before but nothing comes up to me. >>>>>> http://www.openbsd.org/faq/pf/tagging.html >>>>>> >>>>>> >>>>>> thanks anyway ermal >>>>>> regards, >>>>>> evelio vila >>>>>> >>>>>> >>>>>> http://home.nuug.no/~peter/pf/en/ >>>>>> >>>>>> http://www.openbsd.org/faq/pf >>>>>>> >>>>>>> >>>>>>> >>>>>>> thanks for your quick answer vlad. >>>>>>> >>>>>>> >>>>>>>> evelio vila >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ---------------------------------------------------------------- >>>>>>>> This message was sent using IMP, the Internet Messaging Program. >>>>>>>> >>>>>>>> >>>>>>>> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Ener= g=EDa >>>>>>>> y >>>>>>>> Educaci=F3n Energ=E9tica >>>>>>>> 9 - 12 de Junio 2009, Palacio de las Convenciones >>>>>>>> ...Por una cultura energ=E9tica sustentable >>>>>>>> www.ciercuba.com_______________________________________________ >>>>>>>> freebsd-pf@freebsd.org mailing list >>>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>>>>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.or= g >>>>>>>> " >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> -- >>>>>>> Ermal >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> ---------------------------------------------------------------- >>>>>> This message was sent using IMP, the Internet Messaging Program. >>>>>> >>>>>> >>>>>> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ= =EDa y >>>>>> Educaci=F3n Energ=E9tica >>>>>> 9 - 12 de Junio 2009, Palacio de las Convenciones >>>>>> ...Por una cultura energ=E9tica sustentable >>>>>> www.ciercuba.com_______________________________________________ >>>>>> freebsd-pf@freebsd.org mailing list >>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> the sun shines for all >>>>> >>>>> >>>>> >>>> >>>> ---------------------------------------------------------------- >>>> This message was sent using IMP, the Internet Messaging Program. >>>> >>>> >>>> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=ED= a y >>>> Educaci=F3n Energ=E9tica >>>> 9 - 12 de Junio 2009, Palacio de las Convenciones >>>> ...Por una cultura energ=E9tica sustentable >>>> www.ciercuba.com >>>> >>>> >>> >>> >>> -- >>> the sun shines for all >>> >>> >> >> >> ---------------------------------------------------------------- >> This message was sent using IMP, the Internet Messaging Program. >> >> >> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=EDa = y >> Educaci=F3n Energ=E9tica >> 9 - 12 de Junio 2009, Palacio de las Convenciones >> ...Por una cultura energ=E9tica sustentable >> www.ciercuba.com >> > > > > -- > the sun shines for all > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y Educación Energética 9 - 12 de Junio 2009, Palacio de las Convenciones ...Por una cultura energética sustentable www.ciercuba.com