pf+altq for bandwidth control

[Volker]

> My setup is as follow:
> LAN {test server} -> xl1 {FreeBSD} xl0 -> router -> net
> xl0 and xl1 are functioning as a transparent bridge.  kernel has pf and altq 
> compiled.
> 
> pf.conf:
> ext_if = "xl0"
> int_if = "xl1"
> pc = "any"
> set loginterface $ext_if
> 
> # to net
> altq on $ext_if cbq bandwidth 100Mb queue { std_ext, test_ext }
> queue std_ext bandwidth 3Mb qlimit 1000 priority 5 cbq(default red ecn)
> queue test_ext bandwidth 2Mb priority 1 cbq(red ecn)
> 
> pass out on $ext_if from $pc to any keep state queue test_ext
> ---
> The problem I'm having is that all outbound traffic from "test server"
> matches the "queue std_ext" instead of "queue test_ext" rule.  It appears 
> the cbq(default) child rule is overriding the other rule.

Lan,

to get a clear answer, we need to see your whole ruleset, not just a
snippet (will write this into a signature, soon as it's the most often
used phrase).

Just a few guesses: You don't 'pass quick' and another rule matches
later, which does set it into a different queue.

Also you're using state-policy floating and a rule is creating state
when the packet comes into your box, which queues different. You may
probably want to use if-bound state policy.

Another thing to care about is your rules may create state in the
middle of a stream as you're not creating state on SYN.

Last guess: I think you've set $pc to any just for testing. If you're
using NAT and setting this to anything different (any of your local IP
addresses), this rule will never match as the packet is being
processed _after_ NAT processing.

HTH

Volker

PS: Does anybody know what's wrong with the mailing list? Did not
receive the digest messages for the last 36 hours.