AW: Ingress traffic shaping

Spenst, Aleksej Aleksej.Spenst at harman.com
Fri May 21 06:36:47 UTC 2010


>> If I understand it correctly, ingress traffic shaping is not possible with pf/altq.
>> Are there any tricks to do it?

> Not really tricky, a diligent read of the PF and ALTQ doc should help you figure out the right configs. Would you mind posting your PF configs, the one without the loopback redirection?
Thank you for your answer, but it's clear to me how to configure the first described case when the incoming traffic is forwarded further to the LAN and shaped as outcoming traffic at the router. My questions are more general. First I would like to know whether it is at all possible and then how it can be done (not necessarily in terms of configuration).

At the moment I see that if traffic is forwarded further to the LAN, it might work somehow as discussed in the previous message from Raymond.

However, I also see that if the incoming traffic is not forwarded further it is not possible to slow it down somehow and this is now my big problem: I can't do anything with pf/altq to slow down the download traffic. That is why I'm asking whether there are any tricks to do it. I'm wondering if my example with loopback redirection can theoretically work... then I would think about proper configuratinon. What I feel now is that forwarding of packets between different interfaces within one host doesn't use queues as expected, probably the packets are somehow internally forwarded between interfaces and not properly sent via queues as they would be if sent outside. I use "route-to" for sending packets from ext_if to lo0 and "rdr" for sending them back from lo0 to ext_if and I see that the queues at the lo0 interface (where I could shape the traffic) are always empty... Having written this I've realised that I have to give my pf.conf.  Sorry, this is exactly what you haven't asked for, but maybe you can help :)

# ----------------------------------------------------
# pf.conf: redirection of ingress traffic from $ext_if to loopback interface $lo and then back to $ext_if
# this is to be able to shape ingress traffic with altq when sending it from $lo
# in terms of data connection this works fine

### Queue configuration
altq on $lo priq bandwidth 50Kb queue{q1,q2}
queue q1 priority 14 priq
queue q2 priority 0 priq (default)

### Rdr rule
rdr on $lo -> $ext_if0

### Filtering

block in log
block out log

pass in log on $lo
pass out log quick on $lo queue q2

pass in log on $ext_if0 route-to $lo
pass out log on $ext_if0
# ----------------------------------------------------

Problem: q2 queue is always empty (actually it contains always only 1 incoming ACK packet when the TCP download session is over, but no incoming data packets).

Thanks for any help!
Aleksej.


________________________________
Von: shoks [mailto:lowbotskie at gmail.com]
Gesendet: Freitag, 21. Mai 2010 04:46
An: Spenst, Aleksej
Cc: freebsd-pf at freebsd.org
Betreff: Re: Ingress traffic shaping



On Thu, May 20, 2010 at 4:18 PM, Spenst, Aleksej <Aleksej.Spenst at harman.com<mailto:Aleksej.Spenst at harman.com>> wrote:
Hi All,

If I understand it correctly, ingress traffic shaping is not possible with pf/altq.
Are there any tricks to do it?

Not really tricky, a diligent read of the PF and ALTQ doc should help you figure out the right configs. Would you mind posting your PF configs, the one without the loopback redirection?

I suppose that if incoming traffic is sent out by the router further to the LAN, the incoming traffic can be considered as outcoming traffic and therefore can be easily shaped.

---- incoming traffic ---> <ext_if> ROUTER <int_if with altq> ---- shaped outcoming traffic ---->

So, in this case one can say that ingress traffic can be shaped. In this manner it should be possible to limit TCP download traffic.


What if traffic is not forwarded further?

---- incoming traffic ---> <ext_if> END HOST

Is it possible to do anything to slow down for example TCP download traffic? Drop incoming packets? Drop or slow down outgoing ACKs?
I've tried to put outgoing ACKs in the queue with the lowest priority, but that doesn't help when there is no much other outbound traffic.

I also was trying to figure out whether it is possible to forward the incoming traffic to the loopback interface and then back to ext_if, so that incoming traffic can be considered as outcoming at the loopback interface.

---- incoming traffic ---> <ext_if> ----> <lo0> ---- shaped outcoming traffic ----><back to ext_if>

but I couldn't configure pf.conf such that this would be possible... Is this theoretically possible?


Thanks a lot for any tips!

Aleksej.



_______________________________________________
freebsd-pf at freebsd.org<mailto:freebsd-pf at freebsd.org> mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org<mailto:freebsd-pf-unsubscribe at freebsd.org>"



More information about the freebsd-pf mailing list