Date: Fri, 10 Nov 2006 13:04:46 +0100 From: Michal Mertl <mime@traveller.cz> To: Muhammad Reza <beastie@mra.co.id> Cc: "FreeBSD \(PF\)" <freebsd-pf@freebsd.org> Subject: Re: pf.conf + altq problem Message-ID: <1163160286.5022.19.camel@genius.i.cz> In-Reply-To: <1163010356.1504.46.camel@beastie.mra.co.id> References: <1162836051.23997.7.camel@beastie.mra.co.id> <6e6841490611071140u486d550bn8d3f3f0c40b6fd9@mail.gmail.com> <6e6841490611071141u2f1ad06apaa4542a94f8b786b@mail.gmail.com> <1163010356.1504.46.camel@beastie.mra.co.id>
next in thread | previous in thread | raw e-mail | index | archive | help
Muhammad Reza wrote:
> still not work with pass in rule.
>
> add info with this rule set:
>
> altq on xl1 bandwidth 100% cbq queue {int_out,dflt_out}
> queue int_out bandwidth 3Mb
> queue dflt_out bandwidth 16Kb cbq (default)
>
> altq on xl2 bandwidth 100% cbq queue {int_in,dflt_in}
> queue int_in bandwidth 3Mb
> queue dflt_in bandwidth 16Kb cbq (default)
>
> pass out log on xl1 from 172.16.0.228 to 202.57.14.1 keep state flags
> S/SA queue (int_out)
> pass out log on xl2 from 202.57.14.1 to 172.16.0.228 keep state flags
> S/SA queue (int_in)
>
> if i only enabled altq on in one interface only (xl1 or xl2) , traffic
> limitation that i want is can be done.
>
> Is there something that can be done with ALTQ and PF or my rule is
> bad ???
The rules above (for TCP) do not match the traffic from both directions
of a single TCP connection - "flags S/SA" matches just the first packet
of the TCP session initiated by the source adress (on the left). They
limit only one direction of connections initiated from either of the
addresses. Try removing "flags S/SA".
Michal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1163160286.5022.19.camel>