From owner-freebsd-pf@FreeBSD.ORG Thu Mar 17 10:07:12 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C7D316A4CE for ; Thu, 17 Mar 2005 10:07:12 +0000 (GMT) Received: from smtp.eu.tiauto.com (smtp.eu.tiauto.com [195.127.176.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2AA9D43D68 for ; Thu, 17 Mar 2005 10:07:10 +0000 (GMT) (envelope-from bconstant@be.tiauto.com) Received: by tiaseudtcdc01.de.eu.tiauto.com with Internet Mail Service (5.5.2657.72) id ; Thu, 17 Mar 2005 11:07:08 +0100 Message-ID: From: "Constant, Benjamin" To: freebsd-pf@freebsd.org Date: Thu, 17 Mar 2005 11:03:58 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain Subject: Interrogation regarding pf + ALTQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Mar 2005 10:07:12 -0000 Hello list, I'm performing some tests with pf & ALTQ here but before going further on, they are some obscure points I would like to clear up in my mind, that's why I hope some gurus available on this list will give me some more information. Here is how I understand the assignation to queues when the bsd_box is acting as a gateway with two network interfaces: ..........int_if(in) ext_if(ou)------------ [station_a] [bsd_box] [station_b] ----------int_if(ou) ext_if(in)............ Dotted lines represent incoming traffic that can't be assigned to the queues defined on the interface (you can't shape incoming traffic). Dashed lines represent outgoing traffic that can be shaped trough the queues defined on the interface (outgoing traffic). You are already welcome to correct me if I missed something on this point! Some more details: bsd_box is not acting as a firewall, it is only doing routing and traffic shaping. int_if is the internal interface connected to a 100Mbits switch with a bandwidth of 100Mbits. ext_if is the external interface connected to a 100Mbits switch with a real bandwidth of 4Mbits (2Mbits up + 2Mbits down leased line) to the outside world. Here is what I want to do: Shape the traffic according to the maximum bandwidth available for both incoming and outgoing traffic on the leased line. What I understand: As I can't shape the traffic coming from station_b to station_a on the ext_if, the only way for me to rate limit incoming traffic is to define a queue with a maximum bandwidth of 2Mbits on the int_if but what about the outgoing traffic on the external interface ? Is it enough to define a queue with a maximum bandwidth of 2Mbits on the ext_if ? Some other interrogation: When a packet is matching a state, is it still at least evaluated for queueing ? As the bsd_box is not acting as a firewall, shoud I use a state table entry for each interface (set state-policy runtime option) ? Will it speed up the lookups in the table ? Is there any risk to drop/discard the packets even if the default behaviour is pass all and that the rule is using the quick keyword ? Are there documents that clearly describes the flow of packets crossing a bsd box running pf + ALTQ ? Are there other tools than pftop and pfctl to help in debugging pf and traffic shaping ? You'll find below one my pf file for one of my router box. I hope I was clear enough with my explanation and I want to thank for the time you may spend on my interrogation. Best Regards, Benjamin Constant PS: This message was also sent to pf@bendrezine.cx mailing list as I want to gather as much as possible information. Here is a stripped sample of what I did (I know they are difference compared to my previous explanation), feel free to comment it if you see strange things in it: # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last match. # Macros: define common values, so they can be referenced and changed easily. # Interfaces ###### # # We have two interface, int_if is connected to the local lan and also to the # firewall which is located on the local lan. # Interface ext_if is used for vpn traffic and is connected to vpn boxes on a # different logical network. # ################### int_if="em0" ext_if="em1" # Servers proxy="ip" support="ip" sla="{ ips }" # Site bandwidth available # # ################### bwdth="2048Kb" # Tables: similar to macros, but more flexible for many addresses. table persist file "/etc/pf.iprange.tiauto" table persist # Options: tune the behavior of pf, default values are given. # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. #scrub log-all on $int_if all #scrub log-all on $int_if all reassemble tcp #scrub log-all on $ext_if all #scrub log-all on $ext_if all reassemble tcp # Queueing: rule-based bandwidth control. altq on $ext_if cbq bandwidth $bwdth queue { internet, vpn, sla, dbg } # Main children queues # # We have decided to split the traffic into 3 main queues as follow: # - Internet queue is dedicated to internet traffic # - Vpn queue is used for traffic between sites (trough vpn). # - Sla queue is used as a quality of service queue for specific hosts or services. # ################### # Internet queue queue internet bandwidth 512Kb priority 1 cbq { i_default, i_high } queue i_default priority 5 cbq(borrow) queue i_high priority 6 cbq(borrow) # Default and vpn queue queue vpn bandwidth 1Mb priority 2 cbq(default, borrow) { v_low, v_mon, v_normal, v_high, v_critical, v_default } queue v_low priority 4 cbq(borrow) queue v_mon bandwidth 128Kb priority 4 cbq(ecn) queue v_normal priority 5 cbq(borrow) queue v_high priority 6 cbq(borrow) queue v_critical priority 7 cbq(borrow) queue v_default priority 5 cbq(borrow) # Sla queue queue sla bandwidth 512Kb priority 2 cbq(borrow) # Debugging queue queue dbg priority 2 { d_in, d_out } queue d_in priority 5 cbq(borrow) queue d_out priority 5 cbq(borrow) # Queue assignation # # - 'remote' means ip range <> lan # - 'local' means lan ip range # ################### # drop broadcast packets block drop in quick on $int_if from any to $int_if:broadcast block drop in quick on $ext_if from any to $ext_if:broadcast # traffic FROM remote TO local proxy (replies to local will not cross this server, this is not transparent proxy) pass in quick on $ext_if proto tcp from to $proxy port 8080 flags S/SA keep state queue i_default pass out quick on $ext_if proto tcp from $proxy port 8080 to keep state queue i_default # traffic FROM remote TO local $sla server pool pass in quick on $ext_if proto tcp from to $sla flags S/SA keep state queue sla pass out quick on $ext_if proto tcp from $sla to keep state queue sla # traffic FROM remote TO remote $support pass in quick on $ext_if proto tcp from to $support port 80 flags S/SA keep state queue sla pass out quick on $ext_if proto tcp from $support port 80 to keep state queue sla # traffic FROM local TO remote $support pass in quick on $int_if proto tcp from to $support port 80 flags S/SA keep state queue sla # traffic FROM remote TO remote OR local http servers pass in quick on $ext_if proto tcp from to port { 80, 443 } flags S/SA keep state queue v_high pass out quick on $ext_if proto tcp from port { 80, 443 } to keep state queue v_high # traffic FROM local TO remote http servers pass in quick on $int_if proto tcp from to port { 80, 443 } flags S/SA keep state queue v_high # traffic FROM remote TO remote OR local FOR mail exchange pass in quick on $ext_if proto tcp from to port { 25, 102 } flags S/SA keep state queue v_normal pass out quick on $ext_if proto tcp from port { 25, 102 } to keep state queue v_normal # traffic FROM local TO remote FOR mail exchange pass in quick on $int_if proto tcp from to port { 25, 102 } flags S/SA keep state queue v_normal # traffic FROM remote TO remote FOR unmatched traffic pass in quick on $ext_if from to flags S/SA keep state queue v_default pass out quick on $ext_if from to keep state queue v_default # traffic FROM remote TO everywhere FOR unmatched traffic (Internet is everywhere) pass in quick on $ext_if from to any flags S/SA keep state queue i_default pass out quick on $ext_if from any to keep state queue i_default # default policies pass in on $int_if from to any pass out on $int_if from any to pass on lo0 all Benjamin Constant TI Automotive The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. This communication is from TI Automotive.