Connmark target

vila at tesla.cujae.edu.cu vila at tesla.cujae.edu.cu
Sat Jun 6 17:52:58 UTC 2009 

István <leccine at gmail.com> ha escrito:

> Hi!
>
> In general it is a very bad idea to use the same way what you have been
> using before when you are moving to a new platform. You wouldn't use bash to
> manage win2k8 servers, just to give you an example what I am talking about.
>
> The question is:
>
> What do you want to do with pf. Forget about netfilter/conntrack and so on.
> What do you want to achieve?
>
> This is the only question.
>
>
> Regards,
> Istvan

I believe you are righ istvan!

this is the thing:

I want to make some traffic shapping on both interfaces of a freebsd box.
As u all probably know the real congestion occurs generally on the  
downlink interface because of the asymmetric nature of some protocols  
(eg. http)

on the internal network i have some applications that puts dscp tags  
to packets according to different classes of service. the uplink  
shapping can be done simply by mathing the corresponding dscp field of  
each connection and sending to different queues. (by the way the doc  
i´ve read only presents TOS mathing and nothing about dscp)..
anyway , the problem arises when the incoming traffic (from the  
internet) has no dscp tags and i need to enqueue then accordingly to  
make the downlink traffic shapping.

regards,
evelio vila



>
>
>
> On Sat, Jun 6, 2009 at 6:15 PM, <vila at tesla.cujae.edu.cu> wrote:
>
>> Ermal Luçi <eri at freebsd.org> ha escrito:
>>
>>
>>  On Sat, Jun 6, 2009 at 6:49 PM, <vila at tesla.cujae.edu.cu> wrote:
>>>
>>>> Vlad Galu <dudu at dudu.ro> ha escrito:
>>>>
>>>>  On Sat, Jun 6, 2009 at 5:57 AM, <vila at tesla.cujae.edu.cu> wrote:
>>>>>
>>>>>>
>>>>>> Hi folks!
>>>>>>
>>>>>> I´m trying to figure out if there is a way to make connection marking
>>>>>> in
>>>>>> a
>>>>>> similar way as the iptables´s CONNMARK target does?
>>>>>>
>>>>>> Does pf supports this feature?
>>>>>>
>>>>>> My intentions are to tag an outgoing packet, transfer the tag to the
>>>>>> hole
>>>>>> connection and then use that tag to mark incoming packets belonging to
>>>>>> the
>>>>>> same connection.
>>>>>>
>>>>>> Also, i would like then to use that mark to enqueue marked packets to
>>>>>> hfsc
>>>>>> clases.
>>>>>>
>>>>>> I´ve done all of this in linux but never on freebsd, I´ve searched in
>>>>>> pf´s
>>>>>> man page and the FAQ without success.
>>>>>>
>>>>>> thanks in advance,
>>>>>>
>>>>>> evelio vila
>>>>>>
>>>>>
>>>>>   Hi evelio, see below:
>>>>> -- cut here --
>>>>>     tag <string>
>>>>>           Packets matching this rule will be tagged with the specified
>>>>>           string.  The tag acts as an internal marker that can be used
>>>>> to
>>>>>           identify these packets later on.  This can be used, for
>>>>> example, to
>>>>>           provide trust between interfaces and to determine if packets
>>>>> have
>>>>>           been processed by translation rules.  Tags are "sticky",
>>>>> meaning
>>>>>           that the packet will be tagged even if the rule is not the
>>>>> last
>>>>>           matching rule.  Further matching rules can replace the tag
>>>>> with
>>>>> a
>>>>>           new one but will not remove a previously applied tag.  A
>>>>> packet
>>>>> is
>>>>>           only ever assigned one tag at a time.  Packet tagging can be
>>>>> done
>>>>>           during nat, rdr, or binat rules in addition to filter rules.
>>>>>  Tags
>>>>>           take the same macros as labels (see above).
>>>>>
>>>>>     tagged <string>
>>>>>           Used with filter or translation rules to specify that packets
>>>>> must
>>>>>           already be tagged with the given tag in order to match the
>>>>> rule.
>>>>>           Inverse tag matching can also be done by specifying the !
>>>>> operator
>>>>>           before the tagged keyword.
>>>>> -- and here --
>>>>>
>>>>>  Anyway, I believe that keeping state for the desired outgoing
>>>>> connections should be enough all by itself. You would simply add the
>>>>>
>>>>
>>>> Indeed no,  what i want is also to mark the connection to be able then
>>>> to mark incoming packets beloging to the same connection.
>>>>
>>>>  "queue <queue>" directive at the end of your pass out rule, even
>>>>> though the interface packets go out through is the "external" one, and
>>>>> you want to do shaping on the "internal" one but, as I understand, for
>>>>> that you also need floating (not if-bound) states. If I'm wrong, I'd
>>>>>
>>>>
>>>> i am not sure what you mean with "floating (not if-bound) states"
>>>> could you please explain this.
>>>>
>>>>>
>>>>> like somebody with better pf knowledge to correct me :)
>>>>>
>>>>
>>> pf(4) is not iptables. So before using it read more about it.
>>>
>>>
>> I´m aware of that.
>>
>> I think its pretty obvius that my post is simply trying to figure out how
>> to achieve with pf something that i use to do with netfilter.
>>
>> I´ve read this before but nothing comes up to me.
>> http://www.openbsd.org/faq/pf/tagging.html
>>
>>
>> thanks anyway ermal
>> regards,
>> evelio vila
>>
>>
>>  http://home.nuug.no/~peter/pf/en/
>>> http://www.openbsd.org/faq/pf
>>>
>>>
>>>
>>>  thanks for your quick answer vlad.
>>>>
>>>> evelio vila
>>>>
>>>>
>>>>
>>>> ----------------------------------------------------------------
>>>> This message was sent using IMP, the Internet Messaging Program.
>>>>
>>>>
>>>> VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y
>>>> Educación Energética
>>>> 9 - 12 de Junio 2009, Palacio de las Convenciones
>>>> ...Por una cultura energética sustentable
>>>> www.ciercuba.com_______________________________________________
>>>> freebsd-pf at freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>>>>
>>>>
>>>
>>>
>>> --
>>> Ermal
>>>
>>>
>>
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>>
>> VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y
>> Educación Energética
>> 9 - 12 de Junio 2009, Palacio de las Convenciones
>> ...Por una cultura energética sustentable
>> www.ciercuba.com_______________________________________________
>> freebsd-pf at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>>
>
>
>
> --
> the sun shines for all
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y Educación Energética
9 - 12 de Junio 2009, Palacio de las Convenciones
...Por una cultura energética sustentable
www.ciercuba.com

More information about the freebsd-pf mailing list