ALTQ last match queing?

Bill Marquette bill.marquette at gmail.com
Wed May 25 04:46:11 GMT 2005 

Hi, I'm trying to have pf do what's essentially a queue assignment in
one rule and a final pass/keep state in second rule.  The man page for
FreeBSD 6 (and OpenBSD 3.7) reads like it should work the same as
tags.  The rule a packet hits that has a queue is the last queue the
packet gets.  "During the filtering component of pf.conf, the last
referenced queue name is where any packets from pass rules will be
queued".  To me this reads that the following rule set will assign an
outbound SSH to the qHighUp and qHighDown queues (depending on which
interface it traverses)  In reality it doesn't work (and I sorta
understand why - I guess after reading the man page it read like it
worked like tags)

altq on { dc0, dc1 } cbq bandwidth 200Mb queue { q_up, q_down, lan2lan }

queue q_up priority 7 bandwidth 384Kb cbq { qHighUp, qHatedUp }
queue q_down priority 7 bandwidth 384Kb cbq { qHighDown, qHatedDown }
queue lan2lan priority 1 bandwidth 190Mb cbq (default) { qdefault }

queue qHighUp priority 5 bandwidth 256Kb cbq( borrow )
queue qHatedUp priority 3 bandwidth 64Kb cbq( red ecn borrow )

queue qHighDown priority 4 bandwidth 256Kb cbq ( red ecn borrow )
queue qHatedDown priority 2 bandwidth 64Kb cbq ( red ecn borrow )

queue qdefault priority 0 cbq ( red ecn )
pass in on dc0 proto tcp from any to any port = 22 flags S/SA keep
state queue qHighPriDown
pass out on dc1 proto tcp from any to any port = 22 flags S/SA keep
state queue qHighPriUp
block in all
pass in quick on dc0 proto tcp from any to any port = 22 flags S/SA keep state
pass out quick on dc1 proto tcp from any to any port = 22 flags S/SA keep state

In the above rule set the ssh hits the lan2lan queue - not intended. 
If I use quicks on the first two ssh rules the traffic does indeed hit
the right queue, but this won't work for what I'm trying to do (split
rule management between traffic shaping and security policy).

The following does work, but will give me some interesting design
challenges (such as creating a filter rules with tag/queue mismatches
:))
pass in on dc0 proto tcp from any to any port = ssh flags S/SA keep
state tag sshdown
pass out on dc1 proto tcp from any to any port = ssh flags S/SA keep
state tag sshup
block all
pass in quick on dc0 proto tcp from any to any port = ssh flags S/SA
keep state queue qHighDown tagged sshdown
pass out quick on dc1 proto tcp from any to any port = ssh flags S/SA
keep state queue qHighUp tagged sshup

Any thoughts?  I haven't looked at code, so I'm not sure how the queue
persists (or doesn't) with a packet.  Thanks

--Bill

More information about the freebsd-pf mailing list