From owner-freebsd-pf@FreeBSD.ORG Thu Jun 24 17:18:31 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 98C831065672; Thu, 24 Jun 2010 17:18:31 +0000 (UTC) (envelope-from rafaelhfaria@cenadigital.com.br) Received: from mail-pw0-f54.google.com (mail-pw0-f54.google.com [209.85.160.54]) by mx1.freebsd.org (Postfix) with ESMTP id 6907A8FC18; Thu, 24 Jun 2010 17:18:31 +0000 (UTC) Received: by pwj1 with SMTP id 1so2250809pwj.13 for ; Thu, 24 Jun 2010 10:18:27 -0700 (PDT) Received: by 10.114.164.37 with SMTP id m37mr9901230wae.39.1277399907488; Thu, 24 Jun 2010 10:18:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.150.201.16 with HTTP; Thu, 24 Jun 2010 10:18:07 -0700 (PDT) In-Reply-To: References: From: Rafael Henrique Faria Date: Thu, 24 Jun 2010 14:18:07 -0300 Message-ID: To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Unknown Behavior of PF+ALTQ on a Bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2010 17:18:31 -0000 On Thu, Jun 24, 2010 at 14:04, Ermal Lu=E7i wrote: > On Thu, Jun 24, 2010 at 3:12 PM, Rafael Henrique Faria > wrote: >> Hi. >> >> I'm working on a Brige between a router Cisco 7200, and a 3Com 7900 swit= ch. >> I have several subnetworks, and I need to balance the bandwidth between = then. >> >> The Brigde is running: "FreeBSD dell05 8.1-PRERELEASE FreeBSD >> 8.1-PRERELEASE #0: Tue Jun 22 13:59:17 BRT 2010 >> rafaelhfaria@dell05:/usr/obj/usr/src/sys/BRIDGE =A0amd64" >> >> I have the following lines in /boot/loader.conf: >> --- >> net.graph.maxalloc=3D512 >> net.graph.maxdgram=3D45000 >> net.graph.recvspace=3D45000 >> bridgestp_load=3D"YES" >> if_vlan_load=3D"YES" >> --- >> >> And my kernel is compiled with: >> device =A0 =A0 =A0 =A0 =A0if_bridge >> device =A0 =A0 =A0 =A0 =A0pf >> device =A0 =A0 =A0 =A0 =A0pflog >> options =A0 =A0 =A0 =A0 ALTQ >> options =A0 =A0 =A0 =A0 ALTQ_CBQ >> options =A0 =A0 =A0 =A0 ALTQ_RED >> options =A0 =A0 =A0 =A0 ALTQ_RIO >> options =A0 =A0 =A0 =A0 ALTQ_HFSC >> options =A0 =A0 =A0 =A0 ALTQ_PRIQ >> options =A0 =A0 =A0 =A0 ALTQ_NOPCC >> options =A0 =A0 =A0 =A0 DEVICE_POLLING >> options =A0 =A0 =A0 =A0 HZ=3D1000 >> options =A0 =A0 =A0 =A0 SHMSEG=3D16 >> options =A0 =A0 =A0 =A0 SHMMNI=3D32 >> options =A0 =A0 =A0 =A0 SHMMAX=3D2097152 >> options =A0 =A0 =A0 =A0 SHMALL=3D4096 >> options =A0 =A0 =A0 =A0 MAXFILES=3D8192 >> >> And the bridge configuration: >> cloned_interfaces=3D"bridge0 vlan1" >> ifconfig_bridge0=3D"addm bce0 stp bce0 addm bce1 stp bce1 up" >> ifconfig_bce0=3D"polling up" >> ifconfig_bce1=3D"polling up" >> ifconfig_vlan1=3D"inet 200.x.x.x netmask 0xFFFFFF00 broadcast >> 200.x.x.255 vlan 1 vlandev bce1" >> >> bce0 is connected to the Cisco 7200 ($wan_if in pf) >> bce1 is conencted to the 3Com 7900 ($lan_if in pf) >> >> And my sysctl for bridge: >> dell05# sysctl net.link.bridge >> net.link.bridge.ipfw: 0 >> net.link.bridge.inherit_mac: 0 >> net.link.bridge.log_stp: 0 >> net.link.bridge.pfil_local_phys: 1 >> net.link.bridge.pfil_member: 1 >> net.link.bridge.pfil_bridge: 0 >> net.link.bridge.ipfw_arp: 0 >> net.link.bridge.pfil_onlyip: 0 >> dell05# >> >> Ok... >> >> Now, the problem. >> >> With the following queue: >> altq on $lan_if bandwidth 33Mb hfsc queue { down_sub1, down_sub2, >> down_sub3, down_sub4, down_def } >> =A0 queue down_sub1 =A0 bandwidth 8Mb priority 1 qlimit 300 hfsc ( >> realtime 3.20Mb upperlimit 22.40Mb ) >> =A0 queue down_sub2 =A0 bandwidth 8Mb priority 1 qlimit 300 hfsc ( >> realtime 3.20Mb upperlimit 22.40Mb ) >> =A0 queue down_sub3 =A0bandwidth 8Mb priority 1 qlimit 300 hfsc ( >> realtime 3.20Mb upperlimit 22.40Mb ) >> =A0 queue down_sub4 =A0bandwidth 8Mb priority 1 qlimit 300 hfsc ( >> realtime 3.20Mb upperlimit 22.40Mb ) >> =A0 queue down_def =A0 =A0 bandwidth 128Kb hfsc ( default ) >> >> And with the following rules: >> pass in =A0log quick on $lan_if from to any keep state queue ( do= wn_sub1 ) >> pass out log quick on $wan_if from to any keep state queue ( up_s= ub1 ) >> pass in =A0log quick on $wan_if from any to keep state queue ( up= _sub1 ) >> pass out log quick on $lan_if from any to keep state queue ( down= _sub1 ) >> >> (..) for each I have the pass rules like those. >> >> >> With the full use of the link, only a small part of the traffic gets >> into the correct queue. >> >> queue root_bce1 on bce1 bandwidth 33Mb priority 0 {down_sub1, >> down_sub2, down_sub3, down_sub4, down_def} >> =A0[ pkts: =A0 =A0 =A0 =A0 =A00 =A0bytes: =A0 =A0 =A0 =A0 =A00 =A0droppe= d pkts: =A0 =A0 =A00 bytes: =A0 =A0 =A00 ] >> =A0[ qlength: =A0 0/ 50 ] >> =A0[ measured: =A0 =A0 0.0 packets/s, 0 b/s ] >> queue =A0down_sub1 on bce1 bandwidth 8Mb qlimit 300 hfsc( realtime >> 3.20Mb upperlimit 22.40Mb ) >> =A0[ pkts: =A0 =A0 =A053177 =A0bytes: =A0 50082785 =A0dropped pkts: =A0 = =A0 =A00 bytes: =A0 =A0 =A00 ] >> =A0[ qlength: =A0 0/300 ] >> =A0[ measured: =A0 364.5 packets/s, 2.81Mb/s ] >> queue =A0down_sub2 on bce1 bandwidth 8Mb qlimit 300 hfsc( realtime >> 3.20Mb upperlimit 22.40Mb ) >> =A0[ pkts: =A0 =A0 =A090724 =A0bytes: =A0 79670459 =A0dropped pkts: =A0 = =A0 =A00 bytes: =A0 =A0 =A00 ] >> =A0[ qlength: =A0 0/300 ] >> =A0[ measured: =A0 744.6 packets/s, 5.20Mb/s ] >> queue =A0down_sub3 on bce1 bandwidth 8Mb qlimit 300 hfsc( realtime >> 3.20Mb upperlimit 22.40Mb ) >> =A0[ pkts: =A0 =A0 =A038333 =A0bytes: =A0 37384626 =A0dropped pkts: =A0 = =A0 =A00 bytes: =A0 =A0 =A00 ] >> =A0[ qlength: =A0 0/300 ] >> =A0[ measured: =A0 285.2 packets/s, 2.35Mb/s ] >> queue =A0down_sub4 on bce1 bandwidth 8Mb qlimit 300 hfsc( realtime >> 3.20Mb upperlimit 22.40Mb ) >> =A0[ pkts: =A0 =A0 =A080385 =A0bytes: =A0 69021129 =A0dropped pkts: =A0 = =A0 =A00 bytes: =A0 =A0 =A00 ] >> =A0[ qlength: =A0 0/300 ] >> =A0[ measured: =A0 585.1 packets/s, 3.92Mb/s ] >> queue =A0down_def on bce1 bandwidth 128Kb hfsc( default ) >> =A0[ pkts: =A0 =A0 268756 =A0bytes: =A0336423531 =A0dropped pkts: =A0 = =A0121 bytes: =A081921 ] >> =A0[ qlength: =A0 0/ 50 ] >> =A0[ measured: =A01615.4 packets/s, 16.49Mb/s ] >> >> watching the pflog interface, I can see that the pass rules are >> working, no traffic is getting out of one of the rules (I have put an >> "pass log all" to check this). >> >> All the rules are working... but they aren't sending the traffic to >> the specified queue. >> >> If someone have a glue for this... >> Any suggestion are welcome. >> >> Thank's in advance. > > Sorry but i do not see any evidence that what you claim is true! > > -- > Ermal > My subnets are all /24, so table const { 200.x.1.0/24 } table const { 200.x.2.0/24 } table const { 200.x.3.0/24 } table const { 200.x.4.0/24 } In my network, I only have thoses subnets. With: pass all from to any queue sub1 pass all from any to queue sub1 pass all from to any queue sub2 pass all from any to queue sub2 pass all from to any queue sub3 pass all from any to queue sub3 pass all from to any queue sub4 pass all from any to queue sub4 pass all (sent to default queue) The queues have to get all the traffic from my network. But it don't. If I put an log option to the last pass all rule, and do a tcpdump to pflog0, no packet is showed. So, the rules are working OK. But with "pfctl -vvs queue", it shows: sub1: 2.81Mb/s sub2: 5.20Mb/s sub3: 2.35Mb/s sub4: 3.92Mb/s default: 16.49Mb/s As I can understand, with the pass rules, all the traffic from that subnets, need to get into that queue. So... with the pass rule of the , all the traffic data from that subnet, need to get into the queue sub1, the same with sub2, sub3, and sub4. But, Why, I have a high traffic in the default queue? There is no packet at the last pass all rule. So, no packet is missing the other rules. What I want, it to get all the traffic from 200.x.1.0/24, into the sub1 queue, and get limited by this queue, not the default queue. And again, the same with sub2-4. I'm using HFSC, but I'll try with CBQ. --=20 Rafael Henrique da Silva Faria Grupo de Sistemas e Redes Servi=E7o T=E9cnico de Inform=E1tica Faculdade de Ci=EAncias e Letras do Campus de Araraquara - UNESP