Date: Wed, 5 Dec 2007 19:34:30 +0200 From: "Costin Alupului" <costin.alupului@gmail.com> To: <freebsd-questions@freebsd.org> Subject: PF, ALTQ queues and keeping state Message-ID: <4756e13e.0d375e0a.1925.1173@mx.google.com>
next in thread | raw e-mail | index | archive | help
Hello all, I have a problem and I can't seem to find a solution to it by just goggling; so maybe you can help me. I am trying to set up a traffic shaper using pf and altq with hfsc queues. Actually I did set that up about a year ago and it worked perfectly. But lately the number of clients increased dramatically and I had to switch to statefull inspection because otherwise there would be just too many rules to check for every packet that passed the ruleset. Problem is: when I add "keep state" to the rules that assign traffic to the queues, traffic goes in the default queue instead. Here is an example of queue assignment that I tried to use (em2 is facing the clients, vlan0 is facing the Internet): pass out quick on vlan0 from $client1 to any keep state queue ul_client1 pass out quick on em2 from any to $client1 keep state queue dl_client1 pass in quick on vlan0 from any to $client1 keep state pass in quick on em2 from $client1 to any keep state Well, you can imagine that this is just a test set-up; actually the idea would be to have just one rule for passing traffic inbound on each interface. I have read in some article that I should assign traffic when passing in on an interface if I am to use statefull inspection and I would like to mention that I have tried that already. I have tried even to assign traffic to upload and download queues on the same interface (I.E.: in on em2 = upload, out on em2 = download). Finally I tried something desperate like: pass out quick on vlan0 from $client1 to any keep state queue ul_client1 pass out quick on em2 from any to $client1 keep state queue dl_client1 pass in quick on vlan0 from any to $client1 keep state queue dl_client1 pass in quick on em2 from $client1 to any keep state queue ul_client1 Thing is, of course, that didn't work either. I always heard that one should assign traffic to queues on the outbound rules, but I found a link somewhere on the OpenBSD faq that stated that in fact I can assign traffic wherever I like, given that I declare ALTQ on the right interface. But nowhere did they say that I can't use keep state when assigning traffic to the queues. All is Ok if I just loose the "keep state" from the rules, so that is the reason why I didn't include the altq and queue declarations (those are really ok). Does anyone know what is the workaround this? Because really without statefull inspection my machine is simply beaten; there are about 2000 queues and the traffic throughput is around 10kpps. If anyone has a better idea I would be extremely grateful. Thank you very much, Costin Alupului
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4756e13e.0d375e0a.1925.1173>