From owner-freebsd-pf@FreeBSD.ORG Tue Dec 14 11:59:58 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 189E316A4CE for ; Tue, 14 Dec 2004 11:59:58 +0000 (GMT) Received: from pharoe.com (dsl-96.249.240.220.dsl.comindico.com.au [220.240.249.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8799243D53 for ; Tue, 14 Dec 2004 11:59:55 +0000 (GMT) (envelope-from aris@pharoe.com) Received: from osiris (osiris [10.200.2.1]) by pharoe.com (8.13.1/8.13.1) with ESMTP id iBEBvJA8040238 for ; Tue, 14 Dec 2004 22:57:23 +1100 (EST) (envelope-from aris@pharoe.com) Message-Id: <200412141157.iBEBvJA8040238@pharoe.com> From: "Miki Shapiro" To: Date: Tue, 14 Dec 2004 22:59:26 +1100 MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 Thread-Index: AcTh1FvOc/mpJp7CR8CU7y6ybMhTXw== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Question on capabilities of ALTQ and HFSC X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Dec 2004 11:59:58 -0000 Hi all I'm using FreeBSD 5.3 Release, with a kernel recompiled to support ALTQ and HFSC After playing for a while with pf and packetshaping using the HFSC queue implementation, I'm still at a loss on whether this is possible or not: The FreeBSD box serves as a router for a small natt'ed LAN, with a proprietary protocol running bulk data in both directions, alongside regular traffic. The internet connection is asymmetric - bigger downlink than uplink. I wish to regulate (limit) the upstream traffic of the bulk-data connection as it hurts other traffic when it peaks. Since I queue traffic using the firewall rules in pf, queueing a stateful rule (keep state) affects incoming packets as well as outgoing packets that run along the session allowed by this rule. I believe specifying the interface on the queue definition (altq on $ext_if .) was meant to prevent this, but the application responsible for the traffic runs in a jail on the machine itself, whose IP is aliased to the internal interface, but since the arriving packets never actually go out on the (internal) wire, the "interface" of both incoming and outgoing packets stays the external one as far as the queue is concerned, thus putting both incoming and outgoing packets in the queue. mrtg shows both uplink and downlink choked at the bandwidth I attempted to impose on the bulk uplink traffic. Furthermore, allowing freeflow in both directions, grabbing the incoming traffic with a non-stateful rule and queueing it apparently solves the problem (not that I'd call an wide-open firewall a solution) My queues are apparently defined correctly and otherwise work great, it is only a matter of removing the unwanted limitation of inbound traffic. Is this at all possible? Miki