From owner-freebsd-pf@FreeBSD.ORG Sat Jun 6 17:52:58 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 07CCE106564A for ; Sat, 6 Jun 2009 17:52:58 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from mx2.cujae.edu.cu (mx2.cujae.edu.cu [200.55.139.27]) by mx1.freebsd.org (Postfix) with ESMTP id 164248FC21 for ; Sat, 6 Jun 2009 17:52:56 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from newton.cujae.edu.cu (newton.cujae.edu.cu [10.8.1.69]) by mx2.cujae.edu.cu (Postfix) with ESMTP id 13BCA1AD8A for ; Sat, 6 Jun 2009 12:52:37 -0400 (EDT) Received: by newton.cujae.edu.cu (Postfix, from userid 1002) id B86EF1D5E64; Sat, 6 Jun 2009 14:07:19 -0400 (CDT) Received: from localhost (laplace.cujae.edu.cu [10.8.1.82]) by newton.cujae.edu.cu (Postfix) with ESMTP id 0C37C1D5E5F; Sat, 6 Jun 2009 14:07:19 -0400 (CDT) Received: from netmanager.cujae.edu.cu (netmanager.cujae.edu.cu [10.8.1.68]) by correo.cujae.edu.cu (Horde MIME library) with HTTP; Sat, 06 Jun 2009 13:52:50 -0400 Message-ID: <20090606135250.3n87bzp88wc4kgk8@correo.cujae.edu.cu> Date: Sat, 06 Jun 2009 13:52:50 -0400 From: vila@tesla.cujae.edu.cu To: =?iso-8859-1?b?SXN0duFu?= References: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com> <20090606131545.kk8k1qf7a8oc4os8@correo.cujae.edu.cu> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.1) Cc: freebsd-pf@freebsd.org Subject: Re: Connmark target X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2009 17:52:58 -0000 Istv=E1n ha escrito: > Hi! > > In general it is a very bad idea to use the same way what you have been > using before when you are moving to a new platform. You wouldn't use bash = to > manage win2k8 servers, just to give you an example what I am talking about= . > > The question is: > > What do you want to do with pf. Forget about netfilter/conntrack and so on= . > What do you want to achieve? > > This is the only question. > > > Regards, > Istvan I believe you are righ istvan! this is the thing: I want to make some traffic shapping on both interfaces of a freebsd box. As u all probably know the real congestion occurs generally on the =20 downlink interface because of the asymmetric nature of some protocols =20 (eg. http) on the internal network i have some applications that puts dscp tags =20 to packets according to different classes of service. the uplink =20 shapping can be done simply by mathing the corresponding dscp field of =20 each connection and sending to different queues. (by the way the doc =20 i=B4ve read only presents TOS mathing and nothing about dscp).. anyway , the problem arises when the incoming traffic (from the =20 internet) has no dscp tags and i need to enqueue then accordingly to =20 make the downlink traffic shapping. regards, evelio vila > > > > On Sat, Jun 6, 2009 at 6:15 PM, wrote: > >> Ermal Lu=E7i ha escrito: >> >> >> On Sat, Jun 6, 2009 at 6:49 PM, wrote: >>> >>>> Vlad Galu ha escrito: >>>> >>>> On Sat, Jun 6, 2009 at 5:57 AM, wrote: >>>>> >>>>>> >>>>>> Hi folks! >>>>>> >>>>>> I=B4m trying to figure out if there is a way to make connection marki= ng >>>>>> in >>>>>> a >>>>>> similar way as the iptables=B4s CONNMARK target does? >>>>>> >>>>>> Does pf supports this feature? >>>>>> >>>>>> My intentions are to tag an outgoing packet, transfer the tag to the >>>>>> hole >>>>>> connection and then use that tag to mark incoming packets belonging t= o >>>>>> the >>>>>> same connection. >>>>>> >>>>>> Also, i would like then to use that mark to enqueue marked packets to >>>>>> hfsc >>>>>> clases. >>>>>> >>>>>> I=B4ve done all of this in linux but never on freebsd, I=B4ve searche= d in >>>>>> pf=B4s >>>>>> man page and the FAQ without success. >>>>>> >>>>>> thanks in advance, >>>>>> >>>>>> evelio vila >>>>>> >>>>> >>>>> Hi evelio, see below: >>>>> -- cut here -- >>>>> tag >>>>> Packets matching this rule will be tagged with the specified >>>>> string. The tag acts as an internal marker that can be used >>>>> to >>>>> identify these packets later on. This can be used, for >>>>> example, to >>>>> provide trust between interfaces and to determine if packets >>>>> have >>>>> been processed by translation rules. Tags are "sticky", >>>>> meaning >>>>> that the packet will be tagged even if the rule is not the >>>>> last >>>>> matching rule. Further matching rules can replace the tag >>>>> with >>>>> a >>>>> new one but will not remove a previously applied tag. A >>>>> packet >>>>> is >>>>> only ever assigned one tag at a time. Packet tagging can be >>>>> done >>>>> during nat, rdr, or binat rules in addition to filter rules. >>>>> Tags >>>>> take the same macros as labels (see above). >>>>> >>>>> tagged >>>>> Used with filter or translation rules to specify that packet= s >>>>> must >>>>> already be tagged with the given tag in order to match the >>>>> rule. >>>>> Inverse tag matching can also be done by specifying the ! >>>>> operator >>>>> before the tagged keyword. >>>>> -- and here -- >>>>> >>>>> Anyway, I believe that keeping state for the desired outgoing >>>>> connections should be enough all by itself. You would simply add the >>>>> >>>> >>>> Indeed no, what i want is also to mark the connection to be able then >>>> to mark incoming packets beloging to the same connection. >>>> >>>> "queue " directive at the end of your pass out rule, even >>>>> though the interface packets go out through is the "external" one, and >>>>> you want to do shaping on the "internal" one but, as I understand, for >>>>> that you also need floating (not if-bound) states. If I'm wrong, I'd >>>>> >>>> >>>> i am not sure what you mean with "floating (not if-bound) states" >>>> could you please explain this. >>>> >>>>> >>>>> like somebody with better pf knowledge to correct me :) >>>>> >>>> >>> pf(4) is not iptables. So before using it read more about it. >>> >>> >> I=B4m aware of that. >> >> I think its pretty obvius that my post is simply trying to figure out how >> to achieve with pf something that i use to do with netfilter. >> >> I=B4ve read this before but nothing comes up to me. >> http://www.openbsd.org/faq/pf/tagging.html >> >> >> thanks anyway ermal >> regards, >> evelio vila >> >> >> http://home.nuug.no/~peter/pf/en/ >>> http://www.openbsd.org/faq/pf >>> >>> >>> >>> thanks for your quick answer vlad. >>>> >>>> evelio vila >>>> >>>> >>>> >>>> ---------------------------------------------------------------- >>>> This message was sent using IMP, the Internet Messaging Program. >>>> >>>> >>>> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=ED= a y >>>> Educaci=F3n Energ=E9tica >>>> 9 - 12 de Junio 2009, Palacio de las Convenciones >>>> ...Por una cultura energ=E9tica sustentable >>>> www.ciercuba.com_______________________________________________ >>>> freebsd-pf@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>>> >>>> >>> >>> >>> -- >>> Ermal >>> >>> >> >> >> ---------------------------------------------------------------- >> This message was sent using IMP, the Internet Messaging Program. >> >> >> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=EDa = y >> Educaci=F3n Energ=E9tica >> 9 - 12 de Junio 2009, Palacio de las Convenciones >> ...Por una cultura energ=E9tica sustentable >> www.ciercuba.com_______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > > > > -- > the sun shines for all > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y Educación Energética 9 - 12 de Junio 2009, Palacio de las Convenciones ...Por una cultura energética sustentable www.ciercuba.com