From owner-freebsd-pf@FreeBSD.ORG Mon May 17 11:07:04 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6BD0E106564A for ; Mon, 17 May 2010 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (unknown [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 59A818FC13 for ; Mon, 17 May 2010 11:07:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o4HB74Ud015818 for ; Mon, 17 May 2010 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o4HB73p6015816 for freebsd-pf@FreeBSD.org; Mon, 17 May 2010 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 17 May 2010 11:07:03 GMT Message-Id: <201005171107.o4HB73p6015816@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 May 2010 11:07:04 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/144311 pf [pf] [icmp] massive ICMP storm on lo0 occurs when usin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 43 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed May 19 21:52:56 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 60FBC106564A for ; Wed, 19 May 2010 21:52:56 +0000 (UTC) (envelope-from merlyn@stonehenge.com) Received: from red.stonehenge.com (red.stonehenge.com [208.79.95.2]) by mx1.freebsd.org (Postfix) with ESMTP id 4FA9D8FC18 for ; Wed, 19 May 2010 21:52:56 +0000 (UTC) Received: by red.stonehenge.com (Postfix, from userid 1001) id 432BEFCE9; Wed, 19 May 2010 14:36:47 -0700 (PDT) From: merlyn@stonehenge.com (Randal L. Schwartz) To: freebsd-pf@freebsd.org References: x-mayan-date: Long count = 12.19.17.6.13; tzolkin = 6 Ben; haab = 6 Zip Date: Wed, 19 May 2010 14:36:47 -0700 In-Reply-To: (freebsd-pf-request@freebsd.org's message of "Wed, 19 May 2010 21:12:56 +0000") Message-ID: <86wruzlgk0.fsf@red.stonehenge.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: OpenBSD 4.7's pf is not backward compatible X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 May 2010 21:52:56 -0000 Now that OpenBSD 4.7 is out, I see that the pf has undergone a flag day. Are there people here actively working on incorporating this new release into FreeBSD? Also, how different is the pf code in FreeBSD from upstream? Is it just a matter of a good three-way merge to get it to work? -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion From owner-freebsd-pf@FreeBSD.ORG Thu May 20 04:40:39 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B7C3106568A for ; Thu, 20 May 2010 04:40:39 +0000 (UTC) (envelope-from freebsd@optimis.net) Received: from mail.optimis.net (mail.optimis.net [69.104.191.124]) by mx1.freebsd.org (Postfix) with ESMTP id EC9DA8FC1B for ; Thu, 20 May 2010 04:40:38 +0000 (UTC) Received: from marvin.optimis.net (marvin.optimis.net [192.168.1.3]) by mail.optimis.net (8.14.3/8.14.3) with ESMTP id o4K4eb2J020397; Wed, 19 May 2010 21:40:37 -0700 (PDT) (envelope-from freebsd@optimis.net) Received: from marvin.optimis.net (localhost [127.0.0.1]) by marvin.optimis.net (8.14.3/8.14.3) with ESMTP id o4K4ebGt015164; Wed, 19 May 2010 21:40:37 -0700 (PDT) (envelope-from freebsd@optimis.net) Received: (from george@localhost) by marvin.optimis.net (8.14.3/8.14.3/Submit) id o4K4ebnb015163; Wed, 19 May 2010 21:40:37 -0700 (PDT) (envelope-from freebsd@optimis.net) Date: Wed, 19 May 2010 21:40:37 -0700 From: George Davidovich To: freebsd-pf@freebsd.org Message-ID: <20100520044037.GA14920@marvin.optimis.net> References: <86wruzlgk0.fsf@red.stonehenge.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <86wruzlgk0.fsf@red.stonehenge.com> User-Agent: Mutt/1.5.19 (2009-01-05) Cc: Subject: Re: OpenBSD 4.7's pf is not backward compatible X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 May 2010 04:40:39 -0000 On Wed, May 19, 2010 at 02:36:47PM -0700, Randal L. Schwartz wrote: > Now that OpenBSD 4.7 is out, I see that the pf has undergone a flag day. > > Are there people here actively working on incorporating this new release > into FreeBSD? > > Also, how different is the pf code in FreeBSD from upstream? Is it just > a matter of a good three-way merge to get it to work? Can't answer your questions directly, but the following may be informative: >From the fine Handbook http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html Warning: When browsing the PF FAQ, please keep in mind that different versions of FreeBSD can contain different versions of PF. Currently, FreeBSD 7.X and later are using the same version of PF as OpenBSD 4.1. The "PF FAQ" being referred to is that of OpenBSD. -- George From owner-freebsd-pf@FreeBSD.ORG Thu May 20 04:53:41 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 39CFD106564A for ; Thu, 20 May 2010 04:53:41 +0000 (UTC) (envelope-from cbuechler@gmail.com) Received: from mail-qy0-f181.google.com (mail-qy0-f181.google.com [209.85.221.181]) by mx1.freebsd.org (Postfix) with ESMTP id E3FFB8FC0C for ; Thu, 20 May 2010 04:53:40 +0000 (UTC) Received: by qyk11 with SMTP id 11so5872711qyk.13 for ; Wed, 19 May 2010 21:53:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=ocshJbr97HhiXhoYUcEaYysWCp44EaKhs2XwEXXhshM=; b=a9rEfVKCu/M1RW6wobR50vxssrCYJ8apy2p9IrSJ5dCOOUxuZF/RUK0tUkGEaJpu/2 tcQsjfni6mZ3iOk2GidlnrEn31FoOiv++aNPqsg46C7NDPIjDsB+QUlBGJiOkP1Hr9v+ khnjSTdOZ3JnJI7sqdhE1+w7V/y1M3YOuAN2U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=n2ie8gQCyVJScclhDig/R7fLLiDbvcnvQRdFZDL9mVZTPuPQYZ4eKZzbEElMqzsxNP 792Kv7dPh0OlMhB8pjbMwq1bbqJJUVbP6eeFngLmqCJaapxig5t6sWIy5HoXEBd5YHhA 2LKvsnvXHxfENffzShM7rkzUPIPy3GXO52SnA= MIME-Version: 1.0 Received: by 10.229.220.202 with SMTP id hz10mr2075827qcb.23.1274331219887; Wed, 19 May 2010 21:53:39 -0700 (PDT) Received: by 10.229.212.195 with HTTP; Wed, 19 May 2010 21:53:39 -0700 (PDT) In-Reply-To: <86wruzlgk0.fsf@red.stonehenge.com> References: <86wruzlgk0.fsf@red.stonehenge.com> Date: Thu, 20 May 2010 00:53:39 -0400 Message-ID: From: Chris Buechler To: "Randal L. Schwartz" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-pf@freebsd.org Subject: Re: OpenBSD 4.7's pf is not backward compatible X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 May 2010 04:53:41 -0000 On Wed, May 19, 2010 at 5:36 PM, Randal L. Schwartz wrote: > > Now that OpenBSD 4.7 is out, I see that the pf has undergone a flag day. > > Are there people here actively working on incorporating this new release > into FreeBSD? > 4.5, yes. http://svn.freebsd.org/viewvc/base/user/eri/pf45/head/ 4.7, not at this moment (Ermal, Max, etc. can expand on that). > Also, how different is the pf code in FreeBSD from upstream? =A0Is it jus= t > a matter of a good three-way merge to get it to work? > It's not easy, quite a bit different. From owner-freebsd-pf@FreeBSD.ORG Thu May 20 08:29:46 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2A521065680 for ; Thu, 20 May 2010 08:29:46 +0000 (UTC) (envelope-from Aleksej.Spenst@harman.com) Received: from exprod6og110.obsmtp.com (exprod6og110.obsmtp.com [64.18.1.25]) by mx1.freebsd.org (Postfix) with SMTP id 16DB18FC16 for ; Thu, 20 May 2010 08:29:44 +0000 (UTC) Received: from source ([194.121.90.173]) (using TLSv1) by exprod6ob110.postini.com ([64.18.5.12]) with SMTP ID DSNKS/Ty+FnqdYg1IWDP88vt/TGXTBgjZLbk@postini.com; Thu, 20 May 2010 01:29:46 PDT Received: from HIKAWSEX01.ad.harman.com ([fe80::f023:31d4:f809:b22e]) by HIKAWSEX02.ad.harman.com ([::1]) with mapi; Thu, 20 May 2010 10:18:48 +0200 From: "Spenst, Aleksej" To: "'freebsd-pf@freebsd.org'" Date: Thu, 20 May 2010 10:18:47 +0200 Thread-Topic: Ingress traffic shaping Thread-Index: Acr39RJW3BcS4Tp1QRCVo/cO6BBQtw== Message-ID: <20290C577F743240B5256C89EFA753810C3CC9FE50@HIKAWSEX01.ad.harman.com> Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: de-DE, en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Ingress traffic shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 May 2010 08:29:46 -0000 Hi All, If I understand it correctly, ingress traffic shaping is not possible with = pf/altq. Are there any tricks to do it? I suppose that if incoming traffic is sent out by the router further to the= LAN, the incoming traffic can be considered as outcoming traffic and there= fore can be easily shaped. ---- incoming traffic ---> ROUTER ---- shaped o= utcoming traffic ----> So, in this case one can say that ingress traffic can be shaped. In this ma= nner it should be possible to limit TCP download traffic. What if traffic is not forwarded further? ---- incoming traffic ---> END HOST Is it possible to do anything to slow down for example TCP download traffic= ? Drop incoming packets? Drop or slow down outgoing ACKs? I've tried to put outgoing ACKs in the queue with the lowest priority, but = that doesn't help when there is no much other outbound traffic. I also was trying to figure out whether it is possible to forward the incom= ing traffic to the loopback interface and then back to ext_if, so that inco= ming traffic can be considered as outcoming at the loopback interface. ---- incoming traffic ---> ----> ---- shaped outcoming traff= ic ----> but I couldn't configure pf.conf such that this would be possible... Is thi= s theoretically possible? Thanks a lot for any tips! Aleksej. From owner-freebsd-pf@FreeBSD.ORG Fri May 21 02:46:02 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8826D106566B for ; Fri, 21 May 2010 02:46:02 +0000 (UTC) (envelope-from lowbotskie@gmail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id 42EA28FC15 for ; Fri, 21 May 2010 02:46:01 +0000 (UTC) Received: by gyh20 with SMTP id 20so329653gyh.13 for ; Thu, 20 May 2010 19:46:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=v8mBGnkG4VpHxI03HikkkrOzEPliP4WRrgkJK+/MDt8=; b=kRMgfsJNUwp3n3+9MCFt/V0NifM9n7ajQ/N51FwNaKyG8yXatHPytMzf5wo91ducxQ 2qeTUHVl7h0b6MxAkkxa3FmNByH9i3Mc6j85IDPqkvPtuF2iM9M3ITfdDnt4OKKmlOSM gKrbhfzetp0d61tLVem5lDbuIPSXsgIZ1LkR4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Gd7tSJmf2yq2oc+rPYArbSUPlCDBk9n62Fvm+deMW0bf2l17hd2iEEEWAD+ZTEitTh xEYTDvmn2nAUMUcwX+ETOGaIxmDLE9A1xQG1xIws6HSniiuaoCuT2SOU4e92Gm6Ua5UI QprMcZNvPf7tR9sqWwXebgINGiOtDLe/aXwSM= MIME-Version: 1.0 Received: by 10.150.13.9 with SMTP id 9mr2392650ybm.375.1274409961543; Thu, 20 May 2010 19:46:01 -0700 (PDT) Received: by 10.151.101.14 with HTTP; Thu, 20 May 2010 19:46:01 -0700 (PDT) In-Reply-To: <20290C577F743240B5256C89EFA753810C3CC9FE50@HIKAWSEX01.ad.harman.com> References: <20290C577F743240B5256C89EFA753810C3CC9FE50@HIKAWSEX01.ad.harman.com> Date: Fri, 21 May 2010 10:46:01 +0800 Message-ID: From: shoks To: "Spenst, Aleksej" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-pf@freebsd.org" Subject: Re: Ingress traffic shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2010 02:46:02 -0000 On Thu, May 20, 2010 at 4:18 PM, Spenst, Aleksej wrote: > Hi All, > > If I understand it correctly, ingress traffic shaping is not possible with > pf/altq. > Are there any tricks to do it? > > Not really tricky, a diligent read of the PF and ALTQ doc should help you figure out the right configs. Would you mind posting your PF configs, the one without the loopback redirection? > > I suppose that if incoming traffic is sent out by the router further to the > LAN, the incoming traffic can be considered as outcoming traffic and > therefore can be easily shaped. > > ---- incoming traffic ---> ROUTER ---- shaped > outcoming traffic ----> > > So, in this case one can say that ingress traffic can be shaped. In this > manner it should be possible to limit TCP download traffic. > > > What if traffic is not forwarded further? > > ---- incoming traffic ---> END HOST > > Is it possible to do anything to slow down for example TCP download > traffic? Drop incoming packets? Drop or slow down outgoing ACKs? > I've tried to put outgoing ACKs in the queue with the lowest priority, but > that doesn't help when there is no much other outbound traffic. > > I also was trying to figure out whether it is possible to forward the > incoming traffic to the loopback interface and then back to ext_if, so that > incoming traffic can be considered as outcoming at the loopback interface. > > ---- incoming traffic ---> ----> ---- shaped outcoming > traffic ----> > > but I couldn't configure pf.conf such that this would be possible... Is > this theoretically possible? > > > Thanks a lot for any tips! > > Aleksej. > > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri May 21 06:36:47 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D0081065673 for ; Fri, 21 May 2010 06:36:47 +0000 (UTC) (envelope-from Aleksej.Spenst@harman.com) Received: from exprod6og106.obsmtp.com (exprod6og106.obsmtp.com [64.18.1.191]) by mx1.freebsd.org (Postfix) with SMTP id 26BE18FC0C for ; Fri, 21 May 2010 06:36:45 +0000 (UTC) Received: from source ([194.121.90.173]) (using TLSv1) by exprod6ob106.postini.com ([64.18.5.12]) with SMTP ID DSNKS/Yp/WKgboFMNcfOlJQGJ+KU94LEtz8M@postini.com; Thu, 20 May 2010 23:36:46 PDT Received: from HIKAWSEX01.ad.harman.com ([fe80::f023:31d4:f809:b22e]) by HIKAWSEX02.ad.harman.com ([::1]) with mapi; Fri, 21 May 2010 08:36:43 +0200 From: "Spenst, Aleksej" To: 'shoks' Date: Fri, 21 May 2010 08:36:42 +0200 Thread-Topic: Ingress traffic shaping Thread-Index: Acr4j8FpU5/JgCEVToSiDoU4SqvLswAFkrUQ Message-ID: <20290C577F743240B5256C89EFA753810C3CC9FE53@HIKAWSEX01.ad.harman.com> References: <20290C577F743240B5256C89EFA753810C3CC9FE50@HIKAWSEX01.ad.harman.com> In-Reply-To: Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: de-DE, en-US MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-pf@freebsd.org" Subject: AW: Ingress traffic shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2010 06:36:47 -0000 >> If I understand it correctly, ingress traffic shaping is not possible wi= th pf/altq. >> Are there any tricks to do it? > Not really tricky, a diligent read of the PF and ALTQ doc should help you= figure out the right configs. Would you mind posting your PF configs, the = one without the loopback redirection? Thank you for your answer, but it's clear to me how to configure the first = described case when the incoming traffic is forwarded further to the LAN an= d shaped as outcoming traffic at the router. My questions are more general.= First I would like to know whether it is at all possible and then how it c= an be done (not necessarily in terms of configuration). At the moment I see that if traffic is forwarded further to the LAN, it mig= ht work somehow as discussed in the previous message from Raymond. However, I also see that if the incoming traffic is not forwarded further i= t is not possible to slow it down somehow and this is now my big problem: I= can't do anything with pf/altq to slow down the download traffic. That is = why I'm asking whether there are any tricks to do it. I'm wondering if my e= xample with loopback redirection can theoretically work... then I would thi= nk about proper configuratinon. What I feel now is that forwarding of packe= ts between different interfaces within one host doesn't use queues as expec= ted, probably the packets are somehow internally forwarded between interfac= es and not properly sent via queues as they would be if sent outside. I use= "route-to" for sending packets from ext_if to lo0 and "rdr" for sending th= em back from lo0 to ext_if and I see that the queues at the lo0 interface (= where I could shape the traffic) are always empty... Having written this I'= ve realised that I have to give my pf.conf. Sorry, this is exactly what yo= u haven't asked for, but maybe you can help :) # ---------------------------------------------------- # pf.conf: redirection of ingress traffic from $ext_if to loopback interfac= e $lo and then back to $ext_if # this is to be able to shape ingress traffic with altq when sending it fro= m $lo # in terms of data connection this works fine ### Queue configuration altq on $lo priq bandwidth 50Kb queue{q1,q2} queue q1 priority 14 priq queue q2 priority 0 priq (default) ### Rdr rule rdr on $lo -> $ext_if0 ### Filtering block in log block out log pass in log on $lo pass out log quick on $lo queue q2 pass in log on $ext_if0 route-to $lo pass out log on $ext_if0 # ---------------------------------------------------- Problem: q2 queue is always empty (actually it contains always only 1 incom= ing ACK packet when the TCP download session is over, but no incoming data = packets). Thanks for any help! Aleksej. ________________________________ Von: shoks [mailto:lowbotskie@gmail.com] Gesendet: Freitag, 21. Mai 2010 04:46 An: Spenst, Aleksej Cc: freebsd-pf@freebsd.org Betreff: Re: Ingress traffic shaping On Thu, May 20, 2010 at 4:18 PM, Spenst, Aleksej > wrote: Hi All, If I understand it correctly, ingress traffic shaping is not possible with = pf/altq. Are there any tricks to do it? Not really tricky, a diligent read of the PF and ALTQ doc should help you f= igure out the right configs. Would you mind posting your PF configs, the on= e without the loopback redirection? I suppose that if incoming traffic is sent out by the router further to the= LAN, the incoming traffic can be considered as outcoming traffic and there= fore can be easily shaped. ---- incoming traffic ---> ROUTER ---- shaped o= utcoming traffic ----> So, in this case one can say that ingress traffic can be shaped. In this ma= nner it should be possible to limit TCP download traffic. What if traffic is not forwarded further? ---- incoming traffic ---> END HOST Is it possible to do anything to slow down for example TCP download traffic= ? Drop incoming packets? Drop or slow down outgoing ACKs? I've tried to put outgoing ACKs in the queue with the lowest priority, but = that doesn't help when there is no much other outbound traffic. I also was trying to figure out whether it is possible to forward the incom= ing traffic to the loopback interface and then back to ext_if, so that inco= ming traffic can be considered as outcoming at the loopback interface. ---- incoming traffic ---> ----> ---- shaped outcoming traff= ic ----> but I couldn't configure pf.conf such that this would be possible... Is thi= s theoretically possible? Thanks a lot for any tips! Aleksej. _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Fri May 21 06:38:45 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 08A4B1065675 for ; Fri, 21 May 2010 06:38:45 +0000 (UTC) (envelope-from Aleksej.Spenst@harman.com) Received: from exprod6og106.obsmtp.com (exprod6og106.obsmtp.com [64.18.1.191]) by mx1.freebsd.org (Postfix) with SMTP id 3027B8FC1B for ; Fri, 21 May 2010 06:38:44 +0000 (UTC) Received: from source ([194.121.90.173]) (using TLSv1) by exprod6ob106.postini.com ([64.18.5.12]) with SMTP ID DSNKS/Yqc/0khu69FasmfvzFmdtHXc3MjM3S@postini.com; Thu, 20 May 2010 23:38:44 PDT Received: from HIKAWSEX01.ad.harman.com ([fe80::f023:31d4:f809:b22e]) by HIKAWSEX02.ad.harman.com ([::1]) with mapi; Fri, 21 May 2010 08:38:42 +0200 From: "Spenst, Aleksej" To: "'freebsd-pf@freebsd.org'" Date: Fri, 21 May 2010 08:38:40 +0200 Thread-Topic: Ingress traffic shaping Thread-Index: Acr4KNIB3ISmGErhR32Td5+QACOQmwAhzsAw Message-ID: <20290C577F743240B5256C89EFA753810C3CC9FE54@HIKAWSEX01.ad.harman.com> Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: de-DE, en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: Ingress traffic shaping X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2010 06:38:45 -0000 =20 -----Urspr=FCngliche Nachricht----- Von: Raymond Gesendet: Donnerstag, 20. Mai 2010 16:29 An: Spenst, Aleksej Betreff: Re: Ingress traffic shaping On 5/20/2010 04:18, Spenst, Aleksej wrote: > If I understand it correctly, ingress traffic shaping is not possible wit= h pf/altq. > Are there any tricks to do it? > =20 Yes. Inbound traffic can be queued as you discovered by setting up a queue= on the internal NIC. You can split off a separate full speed queue for tr= affic originating from the local host if you don't want local network traff= ic to be slowed as well. The problem is that such throttling is largely fruitless. The traffic has = already been sent by the remote end, and dropping the packet simply means t= he remote end will have to send it again, consuming even more bandwidth. Y= ou are simply hoping the remote end follows proper procedure and throttles = itself as it starts getting dropped packets. From owner-freebsd-pf@FreeBSD.ORG Sat May 22 16:39:56 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E78C31065678; Sat, 22 May 2010 16:39:56 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (unknown [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BF77F8FC1D; Sat, 22 May 2010 16:39:56 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o4MGdulo063668; Sat, 22 May 2010 16:39:56 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o4MGduJp063664; Sat, 22 May 2010 16:39:56 GMT (envelope-from linimon) Date: Sat, 22 May 2010 16:39:56 GMT Message-Id: <201005221639.o4MGduJp063664@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/146832: [pf] "(self)" not always matching all local IPv6 addresses X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 May 2010 16:39:57 -0000 Old Synopsis: [pf] "(self)" not always mathing all local IPv6 addresses New Synopsis: [pf] "(self)" not always matching all local IPv6 addresses Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Sat May 22 16:39:33 UTC 2010 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=146832