From owner-freebsd-pf@FreeBSD.ORG  Fri Nov 10 12:04:56 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2158B16A416
	for <freebsd-pf@freebsd.org>; Fri, 10 Nov 2006 12:04:56 +0000 (UTC)
	(envelope-from mime@traveller.cz)
Received: from nxm.secservers.com (nxm.secservers.com [193.85.228.22])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7F9CF43D45
	for <freebsd-pf@freebsd.org>; Fri, 10 Nov 2006 12:04:55 +0000 (GMT)
	(envelope-from mime@traveller.cz)
Received: from [127.0.0.1] (nxm.secservers.com. [193.85.228.22])
	by nxm.secservers.com (8.13.4/8.13.4) with ESMTP id kAAC4pRs085596;
	Fri, 10 Nov 2006 13:04:52 +0100 (CET)
	(envelope-from mime@traveller.cz)
From: Michal Mertl <mime@traveller.cz>
To: Muhammad Reza <beastie@mra.co.id>
In-Reply-To: <1163010356.1504.46.camel@beastie.mra.co.id>
References: <1162836051.23997.7.camel@beastie.mra.co.id>
	<6e6841490611071140u486d550bn8d3f3f0c40b6fd9@mail.gmail.com>
	<6e6841490611071141u2f1ad06apaa4542a94f8b786b@mail.gmail.com>
	<1163010356.1504.46.camel@beastie.mra.co.id>
Content-Type: text/plain
Date: Fri, 10 Nov 2006 13:04:46 +0100
Message-Id: <1163160286.5022.19.camel@genius.i.cz>
Mime-Version: 1.0
X-Mailer: Evolution 2.8.1.1 FreeBSD GNOME Team Port 
Content-Transfer-Encoding: 7bit
Cc: "FreeBSD \(PF\)" <freebsd-pf@freebsd.org>
Subject: Re: pf.conf + altq problem
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Nov 2006 12:04:56 -0000

Muhammad Reza wrote:
> still not work with pass in rule.
> 
> add info with this rule set:
> 
> altq on xl1 bandwidth 100% cbq queue {int_out,dflt_out}
> queue int_out       bandwidth 3Mb
> queue dflt_out      bandwidth  16Kb cbq (default)
> 
> altq on xl2 bandwidth 100% cbq queue {int_in,dflt_in}
> queue int_in       bandwidth 3Mb
> queue dflt_in      bandwidth 16Kb cbq (default)
> 
> pass out log on xl1 from 172.16.0.228 to 202.57.14.1 keep  state flags
> S/SA queue (int_out)
> pass out log on xl2 from 202.57.14.1 to 172.16.0.228 keep state flags
> S/SA queue (int_in)
> 
> if i only enabled altq on in one interface only (xl1 or xl2) , traffic
> limitation that i want is can be done.
> 
> Is there something that can be done with ALTQ and PF or my rule is
> bad ???

The rules above (for TCP) do not match the traffic from both directions
of a single TCP connection - "flags S/SA" matches just the first packet
of the TCP session initiated by the source adress (on the left). They
limit only one direction of connections initiated from either of the
addresses. Try removing "flags S/SA".

Michal