Connmark target
vila at tesla.cujae.edu.cu
vila at tesla.cujae.edu.cu
Sun Jun 7 17:28:12 UTC 2009
Ok istvan,
i´ll try this and post results.
by the way, anyone knows if there are plans to include connection mark
capabilities to pf.
i say this because until now is the only way i´ve found to solve my issue.
if anybody knows another way to achieve the same goals, help is really
apriciated.
thanks everyone,
evelio vila
István <leccine at gmail.com> ha escrito:
> Then we have to investigate the possibility to use those flags ;)
> http://groups.google.com/group/bit.listserv.openbsd-pf/browse_thread/thread/dd04e046f70e8ebc#
>
> <http://groups.google.com/group/bit.listserv.openbsd-pf/browse_thread/thread/dd04e046f70e8ebc#>
> Regards,
> Istvan
>
> On Sat, Jun 6, 2009 at 7:29 PM, <vila at tesla.cujae.edu.cu> wrote:
>
>> unfortunately that would not help me because the whole traffic is all
>> originated from a single IP address (proxy) so i can not distinguish between
>> them (that is why i use dscp marks)
>> even if i could achieved this, there is still the issue about selecting
>> incoming packets accordingly and direct them to inbound queues (for
>> downlink traffic shapping).
>>
>> regards,
>> evelio vila
>>
>>
>> István <leccine at gmail.com> ha escrito:
>>
>> I guess you might want to tag that dscp enabled packets -because pf has no
>>> support for that at the moment, at least i cannot see- and put them into
>>> the
>>> queue based on the tag.
>>> http://www.openbsd.org/faq/pf/queueing.html#assign
>>>
>>>
>>> <http://www.openbsd.org/faq/pf/queueing.html#assign>Regards,
>>> Istvan
>>>
>>> On Sat, Jun 6, 2009 at 6:52 PM, <vila at tesla.cujae.edu.cu> wrote:
>>>
>>> István <leccine at gmail.com> ha escrito:
>>>>
>>>> Hi!
>>>>
>>>>>
>>>>> In general it is a very bad idea to use the same way what you have been
>>>>> using before when you are moving to a new platform. You wouldn't use
>>>>> bash
>>>>> to
>>>>> manage win2k8 servers, just to give you an example what I am talking
>>>>> about.
>>>>>
>>>>> The question is:
>>>>>
>>>>> What do you want to do with pf. Forget about netfilter/conntrack and so
>>>>> on.
>>>>> What do you want to achieve?
>>>>>
>>>>> This is the only question.
>>>>>
>>>>>
>>>>> Regards,
>>>>> Istvan
>>>>>
>>>>>
>>>> I believe you are righ istvan!
>>>>
>>>> this is the thing:
>>>>
>>>> I want to make some traffic shapping on both interfaces of a freebsd box.
>>>> As u all probably know the real congestion occurs generally on the
>>>> downlink
>>>> interface because of the asymmetric nature of some protocols (eg. http)
>>>>
>>>> on the internal network i have some applications that puts dscp tags to
>>>> packets according to different classes of service. the uplink shapping
>>>> can
>>>> be done simply by mathing the corresponding dscp field of each connection
>>>> and sending to different queues. (by the way the doc i´ve read only
>>>> presents
>>>> TOS mathing and nothing about dscp)..
>>>> anyway , the problem arises when the incoming traffic (from the internet)
>>>> has no dscp tags and i need to enqueue then accordingly to make the
>>>> downlink
>>>> traffic shapping.
>>>>
>>>> regards,
>>>> evelio vila
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>> On Sat, Jun 6, 2009 at 6:15 PM, <vila at tesla.cujae.edu.cu> wrote:
>>>>>
>>>>> Ermal Luçi <eri at freebsd.org> ha escrito:
>>>>>
>>>>>>
>>>>>>
>>>>>> On Sat, Jun 6, 2009 at 6:49 PM, <vila at tesla.cujae.edu.cu> wrote:
>>>>>>
>>>>>>
>>>>>>> Vlad Galu <dudu at dudu.ro> ha escrito:
>>>>>>>
>>>>>>>>
>>>>>>>> On Sat, Jun 6, 2009 at 5:57 AM, <vila at tesla.cujae.edu.cu> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi folks!
>>>>>>>>>>
>>>>>>>>>> I´m trying to figure out if there is a way to make connection
>>>>>>>>>> marking
>>>>>>>>>> in
>>>>>>>>>> a
>>>>>>>>>> similar way as the iptables´s CONNMARK target does?
>>>>>>>>>>
>>>>>>>>>> Does pf supports this feature?
>>>>>>>>>>
>>>>>>>>>> My intentions are to tag an outgoing packet, transfer the tag to
>>>>>>>>>> the
>>>>>>>>>> hole
>>>>>>>>>> connection and then use that tag to mark incoming packets belonging
>>>>>>>>>> to
>>>>>>>>>> the
>>>>>>>>>> same connection.
>>>>>>>>>>
>>>>>>>>>> Also, i would like then to use that mark to enqueue marked packets
>>>>>>>>>> to
>>>>>>>>>> hfsc
>>>>>>>>>> clases.
>>>>>>>>>>
>>>>>>>>>> I´ve done all of this in linux but never on freebsd, I´ve searched
>>>>>>>>>> in
>>>>>>>>>> pf´s
>>>>>>>>>> man page and the FAQ without success.
>>>>>>>>>>
>>>>>>>>>> thanks in advance,
>>>>>>>>>>
>>>>>>>>>> evelio vila
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hi evelio, see below:
>>>>>>>>> -- cut here --
>>>>>>>>> tag <string>
>>>>>>>>> Packets matching this rule will be tagged with the specified
>>>>>>>>> string. The tag acts as an internal marker that can be used
>>>>>>>>> to
>>>>>>>>> identify these packets later on. This can be used, for
>>>>>>>>> example, to
>>>>>>>>> provide trust between interfaces and to determine if packets
>>>>>>>>> have
>>>>>>>>> been processed by translation rules. Tags are "sticky",
>>>>>>>>> meaning
>>>>>>>>> that the packet will be tagged even if the rule is not the
>>>>>>>>> last
>>>>>>>>> matching rule. Further matching rules can replace the tag
>>>>>>>>> with
>>>>>>>>> a
>>>>>>>>> new one but will not remove a previously applied tag. A
>>>>>>>>> packet
>>>>>>>>> is
>>>>>>>>> only ever assigned one tag at a time. Packet tagging can be
>>>>>>>>> done
>>>>>>>>> during nat, rdr, or binat rules in addition to filter rules.
>>>>>>>>> Tags
>>>>>>>>> take the same macros as labels (see above).
>>>>>>>>>
>>>>>>>>> tagged <string>
>>>>>>>>> Used with filter or translation rules to specify that
>>>>>>>>> packets
>>>>>>>>> must
>>>>>>>>> already be tagged with the given tag in order to match the
>>>>>>>>> rule.
>>>>>>>>> Inverse tag matching can also be done by specifying the !
>>>>>>>>> operator
>>>>>>>>> before the tagged keyword.
>>>>>>>>> -- and here --
>>>>>>>>>
>>>>>>>>> Anyway, I believe that keeping state for the desired outgoing
>>>>>>>>> connections should be enough all by itself. You would simply add the
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Indeed no, what i want is also to mark the connection to be able
>>>>>>>> then
>>>>>>>> to mark incoming packets beloging to the same connection.
>>>>>>>>
>>>>>>>> "queue <queue>" directive at the end of your pass out rule, even
>>>>>>>>
>>>>>>>> though the interface packets go out through is the "external" one,
>>>>>>>>> and
>>>>>>>>> you want to do shaping on the "internal" one but, as I understand,
>>>>>>>>> for
>>>>>>>>> that you also need floating (not if-bound) states. If I'm wrong, I'd
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> i am not sure what you mean with "floating (not if-bound) states"
>>>>>>>> could you please explain this.
>>>>>>>>
>>>>>>>>
>>>>>>>> like somebody with better pf knowledge to correct me :)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> pf(4) is not iptables. So before using it read more about it.
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I´m aware of that.
>>>>>>>
>>>>>>
>>>>>> I think its pretty obvius that my post is simply trying to figure out
>>>>>> how
>>>>>> to achieve with pf something that i use to do with netfilter.
>>>>>>
>>>>>> I´ve read this before but nothing comes up to me.
>>>>>> http://www.openbsd.org/faq/pf/tagging.html
>>>>>>
>>>>>>
>>>>>> thanks anyway ermal
>>>>>> regards,
>>>>>> evelio vila
>>>>>>
>>>>>>
>>>>>> http://home.nuug.no/~peter/pf/en/
>>>>>>
>>>>>> http://www.openbsd.org/faq/pf
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> thanks for your quick answer vlad.
>>>>>>>
>>>>>>>
>>>>>>>> evelio vila
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ----------------------------------------------------------------
>>>>>>>> This message was sent using IMP, the Internet Messaging Program.
>>>>>>>>
>>>>>>>>
>>>>>>>> VI Conferencia Internacional de Energía Renovable, Ahorro de Energía
>>>>>>>> y
>>>>>>>> Educación Energética
>>>>>>>> 9 - 12 de Junio 2009, Palacio de las Convenciones
>>>>>>>> ...Por una cultura energética sustentable
>>>>>>>> www.ciercuba.com_______________________________________________
>>>>>>>> freebsd-pf at freebsd.org mailing list
>>>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>>>>>>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org
>>>>>>>> "
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> --
>>>>>>> Ermal
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> ----------------------------------------------------------------
>>>>>> This message was sent using IMP, the Internet Messaging Program.
>>>>>>
>>>>>>
>>>>>> VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y
>>>>>> Educación Energética
>>>>>> 9 - 12 de Junio 2009, Palacio de las Convenciones
>>>>>> ...Por una cultura energética sustentable
>>>>>> www.ciercuba.com_______________________________________________
>>>>>> freebsd-pf at freebsd.org mailing list
>>>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>>>>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> the sun shines for all
>>>>>
>>>>>
>>>>>
>>>>
>>>> ----------------------------------------------------------------
>>>> This message was sent using IMP, the Internet Messaging Program.
>>>>
>>>>
>>>> VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y
>>>> Educación Energética
>>>> 9 - 12 de Junio 2009, Palacio de las Convenciones
>>>> ...Por una cultura energética sustentable
>>>> www.ciercuba.com
>>>>
>>>>
>>>
>>>
>>> --
>>> the sun shines for all
>>>
>>>
>>
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>>
>> VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y
>> Educación Energética
>> 9 - 12 de Junio 2009, Palacio de las Convenciones
>> ...Por una cultura energética sustentable
>> www.ciercuba.com
>>
>
>
>
> --
> the sun shines for all
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y Educación Energética
9 - 12 de Junio 2009, Palacio de las Convenciones
...Por una cultura energética sustentable
www.ciercuba.com
More information about the freebsd-pf
mailing list