Question on capabilities of ALTQ and HFSC

Miki Shapiro aris at pharoe.com
Tue Dec 14 03:59:58 PST 2004


Hi all

 

I'm using FreeBSD 5.3 Release, with a kernel recompiled to support ALTQ and
HFSC

 

After playing for a while with pf and packetshaping using the HFSC queue
implementation, I'm still at a loss on whether this is possible or not:

 

The FreeBSD box serves as a router for a small natt'ed LAN, with a
proprietary protocol running bulk data in both directions, alongside regular
traffic.

 

The internet connection is asymmetric - bigger downlink than uplink.

 

I wish to regulate (limit) the upstream traffic of the bulk-data connection
as it hurts other traffic when it peaks.

 

Since I queue traffic using the firewall rules in pf, queueing a stateful
rule (keep state) affects incoming packets as well as outgoing packets that
run along the session allowed by this rule.

I believe specifying the interface on the queue definition (altq on $ext_if
.) was meant to prevent this, but the application responsible for the
traffic runs in a jail on the machine itself, whose IP is aliased to the
internal interface, but since the arriving packets never actually go out on
the (internal) wire, the "interface" of both incoming and outgoing packets
stays the external one as far as the queue is concerned, thus putting both
incoming and outgoing packets in the queue.

 

mrtg shows both uplink and downlink choked at the bandwidth I attempted to
impose on the bulk uplink traffic.

Furthermore, allowing freeflow in both directions, grabbing the incoming
traffic with a non-stateful rule and queueing it apparently solves the
problem (not that I'd call an wide-open firewall a solution) 

 

My queues are apparently defined correctly and otherwise work great, it is
only a matter of removing the unwanted limitation of inbound traffic.

 

Is this at all possible?

 

                        Miki



More information about the freebsd-pf mailing list