Date: Fri, 21 May 2010 08:36:42 +0200 From: "Spenst, Aleksej" <Aleksej.Spenst@harman.com> To: 'shoks' <lowbotskie@gmail.com> Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: AW: Ingress traffic shaping Message-ID: <20290C577F743240B5256C89EFA753810C3CC9FE53@HIKAWSEX01.ad.harman.com> In-Reply-To: <AANLkTilDPmQYB3fPDyjD53bvuFXvav9nnJ6j3_lLUSMR@mail.gmail.com> References: <20290C577F743240B5256C89EFA753810C3CC9FE50@HIKAWSEX01.ad.harman.com> <AANLkTilDPmQYB3fPDyjD53bvuFXvav9nnJ6j3_lLUSMR@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>> If I understand it correctly, ingress traffic shaping is not possible wi=
th pf/altq.
>> Are there any tricks to do it?
> Not really tricky, a diligent read of the PF and ALTQ doc should help you=
figure out the right configs. Would you mind posting your PF configs, the =
one without the loopback redirection?
Thank you for your answer, but it's clear to me how to configure the first =
described case when the incoming traffic is forwarded further to the LAN an=
d shaped as outcoming traffic at the router. My questions are more general.=
First I would like to know whether it is at all possible and then how it c=
an be done (not necessarily in terms of configuration).
At the moment I see that if traffic is forwarded further to the LAN, it mig=
ht work somehow as discussed in the previous message from Raymond.
However, I also see that if the incoming traffic is not forwarded further i=
t is not possible to slow it down somehow and this is now my big problem: I=
can't do anything with pf/altq to slow down the download traffic. That is =
why I'm asking whether there are any tricks to do it. I'm wondering if my e=
xample with loopback redirection can theoretically work... then I would thi=
nk about proper configuratinon. What I feel now is that forwarding of packe=
ts between different interfaces within one host doesn't use queues as expec=
ted, probably the packets are somehow internally forwarded between interfac=
es and not properly sent via queues as they would be if sent outside. I use=
"route-to" for sending packets from ext_if to lo0 and "rdr" for sending th=
em back from lo0 to ext_if and I see that the queues at the lo0 interface (=
where I could shape the traffic) are always empty... Having written this I'=
ve realised that I have to give my pf.conf. Sorry, this is exactly what yo=
u haven't asked for, but maybe you can help :)
# ----------------------------------------------------
# pf.conf: redirection of ingress traffic from $ext_if to loopback interfac=
e $lo and then back to $ext_if
# this is to be able to shape ingress traffic with altq when sending it fro=
m $lo
# in terms of data connection this works fine
### Queue configuration
altq on $lo priq bandwidth 50Kb queue{q1,q2}
queue q1 priority 14 priq
queue q2 priority 0 priq (default)
### Rdr rule
rdr on $lo -> $ext_if0
### Filtering
block in log
block out log
pass in log on $lo
pass out log quick on $lo queue q2
pass in log on $ext_if0 route-to $lo
pass out log on $ext_if0
# ----------------------------------------------------
Problem: q2 queue is always empty (actually it contains always only 1 incom=
ing ACK packet when the TCP download session is over, but no incoming data =
packets).
Thanks for any help!
Aleksej.
________________________________
Von: shoks [mailto:lowbotskie@gmail.com]
Gesendet: Freitag, 21. Mai 2010 04:46
An: Spenst, Aleksej
Cc: freebsd-pf@freebsd.org
Betreff: Re: Ingress traffic shaping
On Thu, May 20, 2010 at 4:18 PM, Spenst, Aleksej <Aleksej.Spenst@harman.com=
<mailto:Aleksej.Spenst@harman.com>> wrote:
Hi All,
If I understand it correctly, ingress traffic shaping is not possible with =
pf/altq.
Are there any tricks to do it?
Not really tricky, a diligent read of the PF and ALTQ doc should help you f=
igure out the right configs. Would you mind posting your PF configs, the on=
e without the loopback redirection?
I suppose that if incoming traffic is sent out by the router further to the=
LAN, the incoming traffic can be considered as outcoming traffic and there=
fore can be easily shaped.
---- incoming traffic ---> <ext_if> ROUTER <int_if with altq> ---- shaped o=
utcoming traffic ---->
So, in this case one can say that ingress traffic can be shaped. In this ma=
nner it should be possible to limit TCP download traffic.
What if traffic is not forwarded further?
---- incoming traffic ---> <ext_if> END HOST
Is it possible to do anything to slow down for example TCP download traffic=
? Drop incoming packets? Drop or slow down outgoing ACKs?
I've tried to put outgoing ACKs in the queue with the lowest priority, but =
that doesn't help when there is no much other outbound traffic.
I also was trying to figure out whether it is possible to forward the incom=
ing traffic to the loopback interface and then back to ext_if, so that inco=
ming traffic can be considered as outcoming at the loopback interface.
---- incoming traffic ---> <ext_if> ----> <lo0> ---- shaped outcoming traff=
ic ----><back to ext_if>
but I couldn't configure pf.conf such that this would be possible... Is thi=
s theoretically possible?
Thanks a lot for any tips!
Aleksej.
_______________________________________________
freebsd-pf@freebsd.org<mailto:freebsd-pf@freebsd.org> mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org<mailto=
:freebsd-pf-unsubscribe@freebsd.org>"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20290C577F743240B5256C89EFA753810C3CC9FE53>