Date: Sat, 06 Jun 2009 14:29:40 -0400 From: vila@tesla.cujae.edu.cu To: =?iso-8859-1?b?SXN0duFu?= <leccine@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Connmark target Message-ID: <20090606142940.0c42ju9uswkg4w8s@correo.cujae.edu.cu> In-Reply-To: <b8592ed80906061111h4157a78cl365d160437b88426@mail.gmail.com> References: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com> <20090606131545.kk8k1qf7a8oc4os8@correo.cujae.edu.cu> <b8592ed80906061020n1d7f582fh42a0c94dcda2cfe1@mail.gmail.com> <20090606135250.3n87bzp88wc4kgk8@correo.cujae.edu.cu> <b8592ed80906061111h4157a78cl365d160437b88426@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
unfortunately that would not help me because the whole traffic is all =20 originated from a single IP address (proxy) so i can not distinguish =20 between them (that is why i use dscp marks) even if i could achieved this, there is still the issue about =20 selecting incoming packets accordingly and direct them to inbound =20 queues (for downlink traffic shapping). regards, evelio vila Istv=E1n <leccine@gmail.com> ha escrito: > I guess you might want to tag that dscp enabled packets -because pf has no > support for that at the moment, at least i cannot see- and put them into t= he > queue based on the tag. > http://www.openbsd.org/faq/pf/queueing.html#assign > > > <http://www.openbsd.org/faq/pf/queueing.html#assign>Regards, > Istvan > > On Sat, Jun 6, 2009 at 6:52 PM, <vila@tesla.cujae.edu.cu> wrote: > >> Istv=E1n <leccine@gmail.com> ha escrito: >> >> Hi! >>> >>> In general it is a very bad idea to use the same way what you have been >>> using before when you are moving to a new platform. You wouldn't use bas= h >>> to >>> manage win2k8 servers, just to give you an example what I am talking >>> about. >>> >>> The question is: >>> >>> What do you want to do with pf. Forget about netfilter/conntrack and so >>> on. >>> What do you want to achieve? >>> >>> This is the only question. >>> >>> >>> Regards, >>> Istvan >>> >> >> I believe you are righ istvan! >> >> this is the thing: >> >> I want to make some traffic shapping on both interfaces of a freebsd box. >> As u all probably know the real congestion occurs generally on the downli= nk >> interface because of the asymmetric nature of some protocols (eg. http) >> >> on the internal network i have some applications that puts dscp tags to >> packets according to different classes of service. the uplink shapping ca= n >> be done simply by mathing the corresponding dscp field of each connection >> and sending to different queues. (by the way the doc i=B4ve read only pre= sents >> TOS mathing and nothing about dscp).. >> anyway , the problem arises when the incoming traffic (from the internet) >> has no dscp tags and i need to enqueue then accordingly to make the downl= ink >> traffic shapping. >> >> regards, >> evelio vila >> >> >> >> >> >>> >>> >>> On Sat, Jun 6, 2009 at 6:15 PM, <vila@tesla.cujae.edu.cu> wrote: >>> >>> Ermal Lu=E7i <eri@freebsd.org> ha escrito: >>>> >>>> >>>> On Sat, Jun 6, 2009 at 6:49 PM, <vila@tesla.cujae.edu.cu> wrote: >>>> >>>>> >>>>> Vlad Galu <dudu@dudu.ro> ha escrito: >>>>>> >>>>>> On Sat, Jun 6, 2009 at 5:57 AM, <vila@tesla.cujae.edu.cu> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>>> Hi folks! >>>>>>>> >>>>>>>> I=B4m trying to figure out if there is a way to make connection mar= king >>>>>>>> in >>>>>>>> a >>>>>>>> similar way as the iptables=B4s CONNMARK target does? >>>>>>>> >>>>>>>> Does pf supports this feature? >>>>>>>> >>>>>>>> My intentions are to tag an outgoing packet, transfer the tag to th= e >>>>>>>> hole >>>>>>>> connection and then use that tag to mark incoming packets belonging >>>>>>>> to >>>>>>>> the >>>>>>>> same connection. >>>>>>>> >>>>>>>> Also, i would like then to use that mark to enqueue marked packets = to >>>>>>>> hfsc >>>>>>>> clases. >>>>>>>> >>>>>>>> I=B4ve done all of this in linux but never on freebsd, I=B4ve searc= hed in >>>>>>>> pf=B4s >>>>>>>> man page and the FAQ without success. >>>>>>>> >>>>>>>> thanks in advance, >>>>>>>> >>>>>>>> evelio vila >>>>>>>> >>>>>>>> >>>>>>> Hi evelio, see below: >>>>>>> -- cut here -- >>>>>>> tag <string> >>>>>>> Packets matching this rule will be tagged with the specifie= d >>>>>>> string. The tag acts as an internal marker that can be use= d >>>>>>> to >>>>>>> identify these packets later on. This can be used, for >>>>>>> example, to >>>>>>> provide trust between interfaces and to determine if packet= s >>>>>>> have >>>>>>> been processed by translation rules. Tags are "sticky", >>>>>>> meaning >>>>>>> that the packet will be tagged even if the rule is not the >>>>>>> last >>>>>>> matching rule. Further matching rules can replace the tag >>>>>>> with >>>>>>> a >>>>>>> new one but will not remove a previously applied tag. A >>>>>>> packet >>>>>>> is >>>>>>> only ever assigned one tag at a time. Packet tagging can b= e >>>>>>> done >>>>>>> during nat, rdr, or binat rules in addition to filter rules= . >>>>>>> Tags >>>>>>> take the same macros as labels (see above). >>>>>>> >>>>>>> tagged <string> >>>>>>> Used with filter or translation rules to specify that packe= ts >>>>>>> must >>>>>>> already be tagged with the given tag in order to match the >>>>>>> rule. >>>>>>> Inverse tag matching can also be done by specifying the ! >>>>>>> operator >>>>>>> before the tagged keyword. >>>>>>> -- and here -- >>>>>>> >>>>>>> Anyway, I believe that keeping state for the desired outgoing >>>>>>> connections should be enough all by itself. You would simply add the >>>>>>> >>>>>>> >>>>>> Indeed no, what i want is also to mark the connection to be able the= n >>>>>> to mark incoming packets beloging to the same connection. >>>>>> >>>>>> "queue <queue>" directive at the end of your pass out rule, even >>>>>> >>>>>>> though the interface packets go out through is the "external" one, a= nd >>>>>>> you want to do shaping on the "internal" one but, as I understand, f= or >>>>>>> that you also need floating (not if-bound) states. If I'm wrong, I'd >>>>>>> >>>>>>> >>>>>> i am not sure what you mean with "floating (not if-bound) states" >>>>>> could you please explain this. >>>>>> >>>>>> >>>>>>> like somebody with better pf knowledge to correct me :) >>>>>>> >>>>>>> >>>>>> pf(4) is not iptables. So before using it read more about it. >>>>> >>>>> >>>>> I=B4m aware of that. >>>> >>>> I think its pretty obvius that my post is simply trying to figure out h= ow >>>> to achieve with pf something that i use to do with netfilter. >>>> >>>> I=B4ve read this before but nothing comes up to me. >>>> http://www.openbsd.org/faq/pf/tagging.html >>>> >>>> >>>> thanks anyway ermal >>>> regards, >>>> evelio vila >>>> >>>> >>>> http://home.nuug.no/~peter/pf/en/ >>>> >>>>> http://www.openbsd.org/faq/pf >>>>> >>>>> >>>>> >>>>> thanks for your quick answer vlad. >>>>> >>>>>> >>>>>> evelio vila >>>>>> >>>>>> >>>>>> >>>>>> ---------------------------------------------------------------- >>>>>> This message was sent using IMP, the Internet Messaging Program. >>>>>> >>>>>> >>>>>> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ= =EDa y >>>>>> Educaci=F3n Energ=E9tica >>>>>> 9 - 12 de Junio 2009, Palacio de las Convenciones >>>>>> ...Por una cultura energ=E9tica sustentable >>>>>> www.ciercuba.com_______________________________________________ >>>>>> freebsd-pf@freebsd.org mailing list >>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>>>>> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Ermal >>>>> >>>>> >>>>> >>>> >>>> ---------------------------------------------------------------- >>>> This message was sent using IMP, the Internet Messaging Program. >>>> >>>> >>>> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=ED= a y >>>> Educaci=F3n Energ=E9tica >>>> 9 - 12 de Junio 2009, Palacio de las Convenciones >>>> ...Por una cultura energ=E9tica sustentable >>>> www.ciercuba.com_______________________________________________ >>>> freebsd-pf@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>>> >>>> >>> >>> >>> -- >>> the sun shines for all >>> >>> >> >> >> ---------------------------------------------------------------- >> This message was sent using IMP, the Internet Messaging Program. >> >> >> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=EDa = y >> Educaci=F3n Energ=E9tica >> 9 - 12 de Junio 2009, Palacio de las Convenciones >> ...Por una cultura energ=E9tica sustentable >> www.ciercuba.com >> > > > > -- > the sun shines for all > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y Educación Energética 9 - 12 de Junio 2009, Palacio de las Convenciones ...Por una cultura energética sustentable www.ciercuba.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090606142940.0c42ju9uswkg4w8s>