ALTQ and shaping an existing session

Jeremy Chadwick koitsu at
Wed Aug 27 19:45:39 UTC 2008

On Wed, Aug 27, 2008 at 09:22:48PM +0200, Michal Buchtik wrote:
> Rajkumar S pí??e v st 27. 08. 2008 v 16:17 +0530:
> > The problem is that even when a new ip is added to or removed from
> > <badguys> already existing sessions from the newly added ip continues
> > to have previous shaping configuration. All new sessions are shaped as
> > expected. I have tried rules without "keep state", but results are the
> > same. Is  this the expected behavior of pf? Can the shaping be
> > performed for existing sessions also when an ip is added to <badguys>?
> I have same problem. The only way I found is kill existing states of
> affected ip's. But this is uncomfortable for users. Is there another
> solution?

It sounds like the root of this problem is that "flags S/SA" is implicit
on RELENG_7 for TCP rules.  "keep state" is also implicit (on TCP, UDP,
and ICMP rules).

The only solutions I see, both of which have consequences:

1) Use "flags any", but this *is not* something you would want to use in
conjunction with "keep state", since you only want to cause pf to begin
tracking state when SYN of SYN+ACK is set, and not on FIN, RST, or other
combinations.  There is probably some combination of rules you could set
up which could utilise "flags any" correctly, but the risks are high.

2) Add "no state" to rules you want shaping to occur on.  This has the
added drawback of pf not being able to keep track of state on such
packets (performance hit), and you'll need to tune your pf rules to
match on traffic going both directions (since there's no longer a state

Max, does this sound correct?

| Jeremy Chadwick                                jdc at |
| Parodius Networking              |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-pf mailing list