From owner-freebsd-pf@FreeBSD.ORG Mon Jul 30 11:07:22 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E3B761065677 for ; Mon, 30 Jul 2012 11:07:22 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CD0BF8FC12 for ; Mon, 30 Jul 2012 11:07:22 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q6UB7M6j001883 for ; Mon, 30 Jul 2012 11:07:22 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q6UB7M05001881 for freebsd-pf@FreeBSD.org; Mon, 30 Jul 2012 11:07:22 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 30 Jul 2012 11:07:22 GMT Message-Id: <201207301107.q6UB7M05001881@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jul 2012 11:07:23 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag s kern/167057 pf [pf] PF firewall version 4.5 in FreeBSD 9.0 & 8.2 nolo o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 53 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Aug 1 17:13:34 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4D8A21065670; Wed, 1 Aug 2012 17:13:34 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) by mx1.freebsd.org (Postfix) with ESMTP id F080D8FC0A; Wed, 1 Aug 2012 17:13:33 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 76B6E25D3878; Wed, 1 Aug 2012 17:13:32 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 8FC52BE85AF; Wed, 1 Aug 2012 17:13:31 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id SimjxMvavRzK; Wed, 1 Aug 2012 17:13:30 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 4149BBE8582; Wed, 1 Aug 2012 17:13:30 +0000 (UTC) Date: Wed, 1 Aug 2012 17:13:29 +0000 (UTC) From: "Bjoern A. Zeeb" To: Matthew Seaman In-Reply-To: <5011902C.1070600@infracaninophile.co.uk> Message-ID: References: <5011902C.1070600@infracaninophile.co.uk> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Cc: FreeBSD Stable List , freebsd-pf@FreeBSD.org Subject: Re: Regression with jails/IPv6/pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2012 17:13:34 -0000 On Thu, 26 Jul 2012, Matthew Seaman wrote: Hi, as there have been more people having problems with pf and IPv6 after the changes I am replying to stable@ cc: pf@. ... > [...] > > nat on $ext_if_plus from $xenophobe_int to any -> $xenophobe_ext > rdr inet6 proto tcp from to $xenophobe_ext \ > port { 22, 80, 443, 548, 4700 } -> $xenophobe_int > > When trying to ssh into the jail with a kernel exhibiting this problem, > tcpdump showed that traffic was reaching the sshd in the jail and > responses were being generated, but they didn't make it out onto the net. Any of you who are expereincing problems with packets dropped due to invalid checksums with IPv6 and pf after the recent merges, can you report back if you also see this without "modulate state" in your pf.conf (if you have 'modulate' in there, can you try changing it to 'keep' and see if that fixes the problem)? /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-pf@FreeBSD.ORG Wed Aug 1 17:37:50 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DABC106566B; Wed, 1 Aug 2012 17:37:50 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id 9AE338FC1B; Wed, 1 Aug 2012 17:37:49 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id q71Hbff8003862 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 1 Aug 2012 18:37:43 +0100 (BST) (envelope-from matthew@FreeBSD.org) X-DKIM: OpenDKIM Filter v2.5.2 smtp.infracaninophile.co.uk q71Hbff8003862 Authentication-Results: smtp.infracaninophile.co.uk/q71Hbff8003862; dkim=none (no signature); dkim-adsp=none Message-ID: <50196965.3020807@FreeBSD.org> Date: Wed, 01 Aug 2012 18:37:41 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <5011902C.1070600@infracaninophile.co.uk> In-Reply-To: X-Enigmail-Version: 1.4.3 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigAD39B1A8A282C3152F221C8E" X-Virus-Scanned: clamav-milter 0.97.5 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Cc: FreeBSD Stable List , freebsd-pf@FreeBSD.org Subject: Re: Regression with jails/IPv6/pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2012 17:37:50 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigAD39B1A8A282C3152F221C8E Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 01/08/2012 18:13, Bjoern A. Zeeb wrote: > Any of you who are expereincing problems with packets dropped due to > invalid checksums with IPv6 and pf after the recent merges, can you > report back if you also see this without "modulate state" in your > pf.conf (if you have 'modulate' in there, can you try changing it to > 'keep' and see if that fixes the problem)? Alas, I was already using 'keep state'. I did just try 'modulate state,' just on the off-chance but it makes no difference. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --------------enigAD39B1A8A282C3152F221C8E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAZaWUACgkQ8Mjk52CukIwXfwCeJpCf2/sHVrJOFuHbR4s+pCBc NJ4An2avhqOpVPxtBkM9WDt1XjPa0I/i =UV9p -----END PGP SIGNATURE----- --------------enigAD39B1A8A282C3152F221C8E-- From owner-freebsd-pf@FreeBSD.ORG Wed Aug 1 18:23:19 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4B363106564A; Wed, 1 Aug 2012 18:23:19 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) by mx1.freebsd.org (Postfix) with ESMTP id EAD158FC08; Wed, 1 Aug 2012 18:23:18 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 5405125D387B; Wed, 1 Aug 2012 18:23:11 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 6438DBE85B0; Wed, 1 Aug 2012 18:23:10 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id 1qHnfruMtG9N; Wed, 1 Aug 2012 18:23:09 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 19543BE8588; Wed, 1 Aug 2012 18:23:09 +0000 (UTC) Date: Wed, 1 Aug 2012 18:23:08 +0000 (UTC) From: "Bjoern A. Zeeb" To: Matthew Seaman In-Reply-To: <50196965.3020807@FreeBSD.org> Message-ID: References: <5011902C.1070600@infracaninophile.co.uk> <50196965.3020807@FreeBSD.org> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: FreeBSD Stable List , freebsd-pf@FreeBSD.org Subject: Re: Regression with jails/IPv6/pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2012 18:23:19 -0000 On Wed, 1 Aug 2012, Matthew Seaman wrote: > On 01/08/2012 18:13, Bjoern A. Zeeb wrote: > >> Any of you who are expereincing problems with packets dropped due to >> invalid checksums with IPv6 and pf after the recent merges, can you >> report back if you also see this without "modulate state" in your >> pf.conf (if you have 'modulate' in there, can you try changing it to >> 'keep' and see if that fixes the problem)? > > Alas, I was already using 'keep state'. I did just try 'modulate > state,' just on the off-chance but it makes no difference. Modulate would only make it worse. -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family. From owner-freebsd-pf@FreeBSD.ORG Sat Aug 4 23:51:06 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B65A6106566B for ; Sat, 4 Aug 2012 23:51:06 +0000 (UTC) (envelope-from cyberleo@cyberleo.net) Received: from paka.cyberleo.net (paka.cyberleo.net [66.219.31.21]) by mx1.freebsd.org (Postfix) with ESMTP id 744718FC08 for ; Sat, 4 Aug 2012 23:51:06 +0000 (UTC) Received: from [172.16.44.4] (den.cyberleo.net [216.80.73.130]) by paka.cyberleo.net (Postfix) with ESMTPSA id AB4E529707; Sat, 4 Aug 2012 19:51:08 -0400 (EDT) Message-ID: <501DB569.4030700@cyberleo.net> Date: Sat, 04 Aug 2012 18:51:05 -0500 From: CyberLeo Kitsana User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120617 Thunderbird/10.0.4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 1.3.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: AltQ nested classes and limits X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Aug 2012 23:51:06 -0000 Hi! I'm currently struggling with a little issue with pf and AltQ cbq in FreeBSD 8.2-RELEASE. I'm trying to set up queueing with two different ISP uplinks attached to my gateway. Note that I am not trying to multihome the machine. The machine in question only has two interfaces, so those are trunked to an 8-port managed switch as vlans 1 through 6; the primary link's modem is plugged into vlan 5, and the secondary into vlan 6. All this is working fine. (Only one interface is attached to the trunk in this snapshot; the other is being used for system access while I get this sorted out.) ----8<---- lagg0: flags=8843 metric 0 mtu 1500 options=38d8 ether 00:01:80:79:fc:5a inet6 fe80::201:80ff:fe79:fc5a%lagg0 prefixlen 64 scopeid 0xa inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255 nd6 options=3 media: Ethernet autoselect status: active laggproto lacp laggport: re0 flags=1c vlan5: flags=8843 metric 0 mtu 1500 ether 00:01:80:79:fc:5a inet6 fe80::222:68ff:fe8e:e0fe%vlan5 prefixlen 64 scopeid 0xf inet 216.80.73.130 netmask 0xfffffff8 broadcast 216.80.73.135 inet 216.80.73.131 netmask 0xffffffff broadcast 216.80.73.131 inet 192.168.100.2 netmask 0xfffffffc broadcast 192.168.100.3 nd6 options=3 media: Ethernet autoselect status: active vlan: 5 parent interface: lagg0 vlan6: flags=8843 metric 0 mtu 1500 ether 00:01:80:79:fc:5a inet6 fe80::222:68ff:fe8e:e0fe%vlan6 prefixlen 64 scopeid 0x10 inet 216.36.125.42 netmask 0xfffffff8 broadcast 216.36.125.47 inet 216.36.125.43 netmask 0xffffffff broadcast 216.36.125.43 inet 192.168.1.2 netmask 0xfffffffc broadcast 192.168.1.3 nd6 options=3 media: Ethernet autoselect status: active vlan: 6 parent interface: lagg0 ----8<---- Since AltQ refuses to function on vlan virtual interfaces, I have instead attached a hierarchy of classes to the parent interface (lagg0), and set up rules to classify packets into the queues according to pf tags and the egress interface. This is also working fine, and the packets are queued appropriately. ----8<---- altq on lagg0 bandwidth 1Gb cbq queue { defq vlan5 vlan6 } queue defq bandwidth 64Kb cbq(rio, ecn, default) queue vlan5 bandwidth 4700Kb cbq(rio, ecn) { vlan5_phone, vlan5_ack, vlan5_ssh, vlan5_dflt, vlan5_bulk, vlan5_down } queue vlan5_phone bandwidth 32Kb priority 7 cbq(rio, ecn, borrow) queue vlan5_ack bandwidth 32Kb priority 6 cbq(rio, ecn, borrow) queue vlan5_ssh bandwidth 128Kb priority 5 cbq(rio, ecn, borrow) queue vlan5_dflt bandwidth 8Kb priority 4 cbq(rio, ecn, borrow) queue vlan5_bulk bandwidth 8Kb priority 2 cbq(rio, ecn, borrow) queue vlan5_down bandwidth 8Kb priority 0 cbq(rio, ecn, borrow) queue vlan6 bandwidth 600Kb cbq(rio, ecn) { vlan6_phone, vlan6_ack, vlan6_ssh, vlan6_dflt, vlan6_bulk, vlan6_down } queue vlan6_phone bandwidth 32Kb priority 7 cbq(rio, ecn, borrow) queue vlan6_ack bandwidth 32Kb priority 6 cbq(rio, ecn, borrow) queue vlan6_ssh bandwidth 128Kb priority 5 cbq(rio, ecn, borrow) queue vlan6_dflt bandwidth 8Kb priority 4 cbq(rio, ecn, borrow) queue vlan6_bulk bandwidth 8Kb priority 2 cbq(rio, ecn, borrow) queue vlan6_down bandwidth 8Kb priority 0 cbq(rio, ecn, borrow) ----8<---- What completely fails is my attempts to limit the bandwidth towards each of the modems. It seems that the second-level child classes are simply ignoring the parent class and borrowing directly from root instead, despite any hierarchies or bandwidth limits in place. This frequently results in queue suspends when they cannot drain fast enough, at which point all traffic ceases for a minute or so. ----8<---- queue root_lagg0 on lagg0 bandwidth 1Gb priority 0 cbq( wrr root ) {defq, vlan5, vlan6} [ pkts: 169394 bytes: 99190404 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 136.8 packets/s, 364.26Kb/s ] ... queue vlan5 on lagg0 bandwidth 4.70Mb cbq( red ecn rio ) {vlan5_phone, vlan5_ack, vlan5_ssh, vlan5_dflt, vlan5_bulk, vlan5_down} [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue vlan5_phone on lagg0 bandwidth 32Kb priority 7 cbq( red ecn rio borrow ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue vlan5_ack on lagg0 bandwidth 32Kb priority 6 cbq( red ecn rio borrow ) [ pkts: 45696 bytes: 2750286 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 3590 suspends: 0 ] [ measured: 30.3 packets/s, 14.45Kb/s ] queue vlan5_ssh on lagg0 bandwidth 128Kb priority 5 cbq( red ecn rio borrow ) [ pkts: 399 bytes: 26482 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.5 packets/s, 261.29 b/s ] queue vlan5_dflt on lagg0 bandwidth 8Kb priority 4 cbq( red ecn rio borrow ) [ pkts: 115694 bytes: 91758450 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 115687 suspends: 17 ] [ measured: 98.6 packets/s, 309Kb/s ] queue vlan5_bulk on lagg0 bandwidth 8Kb priority 2 cbq( red ecn rio borrow ) [ pkts: 55 bytes: 8494 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] queue vlan5_down on lagg0 bandwidth 8Kb priority 0 cbq( red ecn rio borrow ) [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 borrows: 0 suspends: 0 ] [ measured: 0.0 packets/s, 0 b/s ] ----8<---- Does anyone here have experience with such a setup? Do I have incorrect expectations, or a flawed implementation? Is this a known issue with the AltQ implementation in FreeBSD 8.2? I can provide further information upon request. Thank you. -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net Furry Peace! - http://wwww.fur.com/peace/ From owner-freebsd-pf@FreeBSD.ORG Sat Aug 4 23:54:34 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9CFD01065686 for ; Sat, 4 Aug 2012 23:54:34 +0000 (UTC) (envelope-from cyberleo@cyberleo.net) Received: from paka.cyberleo.net (paka.cyberleo.net [66.219.31.21]) by mx1.freebsd.org (Postfix) with ESMTP id 73C688FC12 for ; Sat, 4 Aug 2012 23:54:34 +0000 (UTC) Received: from [172.16.44.4] (den.cyberleo.net [216.80.73.130]) by paka.cyberleo.net (Postfix) with ESMTPSA id AE0FD29707; Sat, 4 Aug 2012 19:54:36 -0400 (EDT) Message-ID: <501DB639.6030107@cyberleo.net> Date: Sat, 04 Aug 2012 18:54:33 -0500 From: CyberLeo Kitsana User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120617 Thunderbird/10.0.4 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <501DB569.4030700@cyberleo.net> In-Reply-To: <501DB569.4030700@cyberleo.net> X-Enigmail-Version: 1.3.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: AltQ nested classes and limits X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Aug 2012 23:54:34 -0000 On 08/04/2012 06:51 PM, CyberLeo Kitsana wrote: > Hi! > > I'm currently struggling with a little issue with pf and AltQ cbq in > FreeBSD 8.2-RELEASE. > > I'm trying to set up queueing with two different ISP uplinks attached to > my gateway. Note that I am not trying to multihome the machine. > > The machine in question only has two interfaces, so those are trunked to > an 8-port managed switch as vlans 1 through 6; the primary link's modem > is plugged into vlan 5, and the secondary into vlan 6. All this is > working fine. > > (Only one interface is attached to the trunk in this snapshot; the other > is being used for system access while I get this sorted out.) > > ----8<---- > lagg0: flags=8843 metric 0 mtu 1500 > options=38d8 > ether 00:01:80:79:fc:5a > inet6 fe80::201:80ff:fe79:fc5a%lagg0 prefixlen 64 scopeid 0xa > inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255 > nd6 options=3 > media: Ethernet autoselect > status: active > laggproto lacp > laggport: re0 flags=1c > vlan5: flags=8843 metric 0 mtu 1500 > ether 00:01:80:79:fc:5a > inet6 fe80::222:68ff:fe8e:e0fe%vlan5 prefixlen 64 scopeid 0xf > inet 216.80.73.130 netmask 0xfffffff8 broadcast 216.80.73.135 > inet 216.80.73.131 netmask 0xffffffff broadcast 216.80.73.131 > inet 192.168.100.2 netmask 0xfffffffc broadcast 192.168.100.3 > nd6 options=3 > media: Ethernet autoselect > status: active > vlan: 5 parent interface: lagg0 > vlan6: flags=8843 metric 0 mtu 1500 > ether 00:01:80:79:fc:5a > inet6 fe80::222:68ff:fe8e:e0fe%vlan6 prefixlen 64 scopeid 0x10 > inet 216.36.125.42 netmask 0xfffffff8 broadcast 216.36.125.47 > inet 216.36.125.43 netmask 0xffffffff broadcast 216.36.125.43 > inet 192.168.1.2 netmask 0xfffffffc broadcast 192.168.1.3 > nd6 options=3 > media: Ethernet autoselect > status: active > vlan: 6 parent interface: lagg0 > ----8<---- > > Since AltQ refuses to function on vlan virtual interfaces, I have > instead attached a hierarchy of classes to the parent interface (lagg0), > and set up rules to classify packets into the queues according to pf > tags and the egress interface. This is also working fine, and the > packets are queued appropriately. > > ----8<---- > altq on lagg0 bandwidth 1Gb cbq queue { defq vlan5 vlan6 } > queue defq bandwidth 64Kb cbq(rio, ecn, default) > queue vlan5 bandwidth 4700Kb cbq(rio, ecn) { vlan5_phone, vlan5_ack, > vlan5_ssh, vlan5_dflt, vlan5_bulk, vlan5_down } > queue vlan5_phone bandwidth 32Kb priority 7 cbq(rio, ecn, borrow) > queue vlan5_ack bandwidth 32Kb priority 6 cbq(rio, ecn, borrow) > queue vlan5_ssh bandwidth 128Kb priority 5 cbq(rio, ecn, borrow) > queue vlan5_dflt bandwidth 8Kb priority 4 cbq(rio, ecn, borrow) > queue vlan5_bulk bandwidth 8Kb priority 2 cbq(rio, ecn, borrow) > queue vlan5_down bandwidth 8Kb priority 0 cbq(rio, ecn, borrow) > queue vlan6 bandwidth 600Kb cbq(rio, ecn) { vlan6_phone, vlan6_ack, > vlan6_ssh, vlan6_dflt, vlan6_bulk, vlan6_down } > queue vlan6_phone bandwidth 32Kb priority 7 cbq(rio, ecn, borrow) > queue vlan6_ack bandwidth 32Kb priority 6 cbq(rio, ecn, borrow) > queue vlan6_ssh bandwidth 128Kb priority 5 cbq(rio, ecn, borrow) > queue vlan6_dflt bandwidth 8Kb priority 4 cbq(rio, ecn, borrow) > queue vlan6_bulk bandwidth 8Kb priority 2 cbq(rio, ecn, borrow) > queue vlan6_down bandwidth 8Kb priority 0 cbq(rio, ecn, borrow) > ----8<---- > > What completely fails is my attempts to limit the bandwidth towards each > of the modems. It seems that the second-level child classes are simply > ignoring the parent class and borrowing directly from root instead, > despite any hierarchies or bandwidth limits in place. This frequently > results in queue suspends when they cannot drain fast enough, at which > point all traffic ceases for a minute or so. > > ----8<---- > queue root_lagg0 on lagg0 bandwidth 1Gb priority 0 cbq( wrr root ) > {defq, vlan5, vlan6} > [ pkts: 169394 bytes: 99190404 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 0 suspends: 0 ] > [ measured: 136.8 packets/s, 364.26Kb/s ] > ... > queue vlan5 on lagg0 bandwidth 4.70Mb cbq( red ecn rio ) {vlan5_phone, > vlan5_ack, vlan5_ssh, vlan5_dflt, vlan5_bulk, vlan5_down} > [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 0 suspends: 0 ] > [ measured: 0.0 packets/s, 0 b/s ] > queue vlan5_phone on lagg0 bandwidth 32Kb priority 7 cbq( red ecn rio > borrow ) > [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 0 suspends: 0 ] > [ measured: 0.0 packets/s, 0 b/s ] > queue vlan5_ack on lagg0 bandwidth 32Kb priority 6 cbq( red ecn rio > borrow ) > [ pkts: 45696 bytes: 2750286 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 3590 suspends: 0 ] > [ measured: 30.3 packets/s, 14.45Kb/s ] > queue vlan5_ssh on lagg0 bandwidth 128Kb priority 5 cbq( red ecn rio > borrow ) > [ pkts: 399 bytes: 26482 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 0 suspends: 0 ] > [ measured: 0.5 packets/s, 261.29 b/s ] > queue vlan5_dflt on lagg0 bandwidth 8Kb priority 4 cbq( red ecn rio > borrow ) > [ pkts: 115694 bytes: 91758450 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 115687 suspends: 17 ] > [ measured: 98.6 packets/s, 309Kb/s ] > queue vlan5_bulk on lagg0 bandwidth 8Kb priority 2 cbq( red ecn rio > borrow ) > [ pkts: 55 bytes: 8494 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 0 suspends: 0 ] > [ measured: 0.0 packets/s, 0 b/s ] > queue vlan5_down on lagg0 bandwidth 8Kb priority 0 cbq( red ecn rio > borrow ) > [ pkts: 0 bytes: 0 dropped pkts: 0 bytes: > 0 ] > [ qlength: 0/ 50 borrows: 0 suspends: 0 ] > [ measured: 0.0 packets/s, 0 b/s ] > ----8<---- > > Does anyone here have experience with such a setup? Do I have incorrect > expectations, or a flawed implementation? Is this a known issue with the > AltQ implementation in FreeBSD 8.2? > > I can provide further information upon request. It figures; minutes after I hit 'send', I find a PR explaining this exact issue, including a workaround. http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/155736 Sorry for the noise. -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net Furry Peace! - http://wwww.fur.com/peace/