Connmark target

vila at tesla.cujae.edu.cu vila at tesla.cujae.edu.cu
Sat Jun 6 18:29:48 UTC 2009 

unfortunately that would not help me because the whole traffic is all  
originated from a single IP address (proxy) so i can not distinguish  
between them (that is why i use dscp marks)
even if i could achieved this, there is still the issue about  
selecting incoming packets accordingly  and direct them to inbound  
queues (for downlink traffic shapping).

regards,
evelio vila


István <leccine at gmail.com> ha escrito:

> I guess you might want to tag that dscp enabled packets -because pf has no
> support for that at the moment, at least i cannot see- and put them into the
> queue based on the tag.
> http://www.openbsd.org/faq/pf/queueing.html#assign
>
>
> <http://www.openbsd.org/faq/pf/queueing.html#assign>Regards,
> Istvan
>
> On Sat, Jun 6, 2009 at 6:52 PM, <vila at tesla.cujae.edu.cu> wrote:
>
>> István <leccine at gmail.com> ha escrito:
>>
>>  Hi!
>>>
>>> In general it is a very bad idea to use the same way what you have been
>>> using before when you are moving to a new platform. You wouldn't use bash
>>> to
>>> manage win2k8 servers, just to give you an example what I am talking
>>> about.
>>>
>>> The question is:
>>>
>>> What do you want to do with pf. Forget about netfilter/conntrack and so
>>> on.
>>> What do you want to achieve?
>>>
>>> This is the only question.
>>>
>>>
>>> Regards,
>>> Istvan
>>>
>>
>> I believe you are righ istvan!
>>
>> this is the thing:
>>
>> I want to make some traffic shapping on both interfaces of a freebsd box.
>> As u all probably know the real congestion occurs generally on the downlink
>> interface because of the asymmetric nature of some protocols (eg. http)
>>
>> on the internal network i have some applications that puts dscp tags to
>> packets according to different classes of service. the uplink shapping can
>> be done simply by mathing the corresponding dscp field of each connection
>> and sending to different queues. (by the way the doc i´ve read only presents
>> TOS mathing and nothing about dscp)..
>> anyway , the problem arises when the incoming traffic (from the internet)
>> has no dscp tags and i need to enqueue then accordingly to make the downlink
>> traffic shapping.
>>
>> regards,
>> evelio vila
>>
>>
>>
>>
>>
>>>
>>>
>>> On Sat, Jun 6, 2009 at 6:15 PM, <vila at tesla.cujae.edu.cu> wrote:
>>>
>>>  Ermal Luçi <eri at freebsd.org> ha escrito:
>>>>
>>>>
>>>>  On Sat, Jun 6, 2009 at 6:49 PM, <vila at tesla.cujae.edu.cu> wrote:
>>>>
>>>>>
>>>>>  Vlad Galu <dudu at dudu.ro> ha escrito:
>>>>>>
>>>>>>  On Sat, Jun 6, 2009 at 5:57 AM, <vila at tesla.cujae.edu.cu> wrote:
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Hi folks!
>>>>>>>>
>>>>>>>> I´m trying to figure out if there is a way to make connection marking
>>>>>>>> in
>>>>>>>> a
>>>>>>>> similar way as the iptables´s CONNMARK target does?
>>>>>>>>
>>>>>>>> Does pf supports this feature?
>>>>>>>>
>>>>>>>> My intentions are to tag an outgoing packet, transfer the tag to the
>>>>>>>> hole
>>>>>>>> connection and then use that tag to mark incoming packets belonging
>>>>>>>> to
>>>>>>>> the
>>>>>>>> same connection.
>>>>>>>>
>>>>>>>> Also, i would like then to use that mark to enqueue marked packets to
>>>>>>>> hfsc
>>>>>>>> clases.
>>>>>>>>
>>>>>>>> I´ve done all of this in linux but never on freebsd, I´ve searched in
>>>>>>>> pf´s
>>>>>>>> man page and the FAQ without success.
>>>>>>>>
>>>>>>>> thanks in advance,
>>>>>>>>
>>>>>>>> evelio vila
>>>>>>>>
>>>>>>>>
>>>>>>>  Hi evelio, see below:
>>>>>>> -- cut here --
>>>>>>>    tag <string>
>>>>>>>          Packets matching this rule will be tagged with the specified
>>>>>>>          string.  The tag acts as an internal marker that can be used
>>>>>>> to
>>>>>>>          identify these packets later on.  This can be used, for
>>>>>>> example, to
>>>>>>>          provide trust between interfaces and to determine if packets
>>>>>>> have
>>>>>>>          been processed by translation rules.  Tags are "sticky",
>>>>>>> meaning
>>>>>>>          that the packet will be tagged even if the rule is not the
>>>>>>> last
>>>>>>>          matching rule.  Further matching rules can replace the tag
>>>>>>> with
>>>>>>> a
>>>>>>>          new one but will not remove a previously applied tag.  A
>>>>>>> packet
>>>>>>> is
>>>>>>>          only ever assigned one tag at a time.  Packet tagging can be
>>>>>>> done
>>>>>>>          during nat, rdr, or binat rules in addition to filter rules.
>>>>>>>  Tags
>>>>>>>          take the same macros as labels (see above).
>>>>>>>
>>>>>>>    tagged <string>
>>>>>>>          Used with filter or translation rules to specify that packets
>>>>>>> must
>>>>>>>          already be tagged with the given tag in order to match the
>>>>>>> rule.
>>>>>>>          Inverse tag matching can also be done by specifying the !
>>>>>>> operator
>>>>>>>          before the tagged keyword.
>>>>>>> -- and here --
>>>>>>>
>>>>>>>  Anyway, I believe that keeping state for the desired outgoing
>>>>>>> connections should be enough all by itself. You would simply add the
>>>>>>>
>>>>>>>
>>>>>> Indeed no,  what i want is also to mark the connection to be able then
>>>>>> to mark incoming packets beloging to the same connection.
>>>>>>
>>>>>>  "queue <queue>" directive at the end of your pass out rule, even
>>>>>>
>>>>>>> though the interface packets go out through is the "external" one, and
>>>>>>> you want to do shaping on the "internal" one but, as I understand, for
>>>>>>> that you also need floating (not if-bound) states. If I'm wrong, I'd
>>>>>>>
>>>>>>>
>>>>>> i am not sure what you mean with "floating (not if-bound) states"
>>>>>> could you please explain this.
>>>>>>
>>>>>>
>>>>>>> like somebody with better pf knowledge to correct me :)
>>>>>>>
>>>>>>>
>>>>>>  pf(4) is not iptables. So before using it read more about it.
>>>>>
>>>>>
>>>>>  I´m aware of that.
>>>>
>>>> I think its pretty obvius that my post is simply trying to figure out how
>>>> to achieve with pf something that i use to do with netfilter.
>>>>
>>>> I´ve read this before but nothing comes up to me.
>>>> http://www.openbsd.org/faq/pf/tagging.html
>>>>
>>>>
>>>> thanks anyway ermal
>>>> regards,
>>>> evelio vila
>>>>
>>>>
>>>>  http://home.nuug.no/~peter/pf/en/
>>>>
>>>>> http://www.openbsd.org/faq/pf
>>>>>
>>>>>
>>>>>
>>>>>  thanks for your quick answer vlad.
>>>>>
>>>>>>
>>>>>> evelio vila
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----------------------------------------------------------------
>>>>>> This message was sent using IMP, the Internet Messaging Program.
>>>>>>
>>>>>>
>>>>>> VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y
>>>>>> Educación Energética
>>>>>> 9 - 12 de Junio 2009, Palacio de las Convenciones
>>>>>> ...Por una cultura energética sustentable
>>>>>> www.ciercuba.com_______________________________________________
>>>>>> freebsd-pf at freebsd.org mailing list
>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>>>>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Ermal
>>>>>
>>>>>
>>>>>
>>>>
>>>> ----------------------------------------------------------------
>>>> This message was sent using IMP, the Internet Messaging Program.
>>>>
>>>>
>>>> VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y
>>>> Educación Energética
>>>> 9 - 12 de Junio 2009, Palacio de las Convenciones
>>>> ...Por una cultura energética sustentable
>>>> www.ciercuba.com_______________________________________________
>>>> freebsd-pf at freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>>>>
>>>>
>>>
>>>
>>> --
>>> the sun shines for all
>>>
>>>
>>
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>>
>> VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y
>> Educación Energética
>> 9 - 12 de Junio 2009, Palacio de las Convenciones
>> ...Por una cultura energética sustentable
>> www.ciercuba.com
>>
>
>
>
> --
> the sun shines for all
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y Educación Energética
9 - 12 de Junio 2009, Palacio de las Convenciones
...Por una cultura energética sustentable
www.ciercuba.com

More information about the freebsd-pf mailing list