PF, ALTQ queues and keeping state

Costin Alupului costin.alupului at gmail.com
Wed Dec 5 09:34:57 PST 2007 

Hello all,

 

I have a problem and I can't seem to find a solution to it by just goggling;
so maybe you can help me.

 

I am trying to set up a traffic shaper using pf and altq with hfsc queues.
Actually I did set that up about a year ago and it worked perfectly. But
lately the number of clients increased dramatically and I had to switch to
statefull inspection because otherwise there would be just too many rules to
check for every packet that passed the ruleset.

 

Problem is: when I add "keep state" to the rules that assign traffic to the
queues, traffic goes in the default queue instead. Here is an example of
queue assignment that I tried to use (em2 is facing the clients, vlan0 is
facing the Internet):

 

pass out quick on vlan0 from $client1 to any keep state queue ul_client1

pass out quick on em2 from any to $client1 keep state queue dl_client1

pass in quick on vlan0 from any to $client1 keep state

pass in quick on em2 from $client1 to any keep state

 

Well, you can imagine that this is just a test set-up; actually the idea
would be to have just one rule for passing traffic inbound on each
interface.

 

I have read in some article that I should assign traffic when passing in on
an interface if I am to use statefull inspection and I would like to mention
that I have tried that already. I have tried even to assign traffic to
upload and download queues on the same interface (I.E.: in on em2 = upload,
out on em2 = download).

 

Finally I tried something desperate like:

 

pass out quick on vlan0 from $client1 to any keep state queue ul_client1

pass out quick on em2 from any to $client1 keep state queue dl_client1

pass in quick on vlan0 from any to $client1 keep state queue dl_client1

pass in quick on em2 from $client1 to any keep state queue ul_client1

 

Thing is, of course, that didn't work either. I always heard that one should
assign traffic to queues on the outbound rules, but I found a link somewhere
on the OpenBSD faq that stated that in fact I can assign traffic wherever I
like, given that I declare ALTQ on the right interface. But nowhere did they
say that I can't use keep state when assigning traffic to the queues.

 

All is Ok if I just loose the "keep state" from the rules, so that is the
reason why I didn't include the altq and queue declarations (those are
really ok).

 

Does anyone know what is the workaround this? Because really without
statefull inspection my machine is simply beaten; there are about 2000
queues and the traffic throughput is around 10kpps. If anyone has a better
idea I would be extremely grateful.

 

Thank you very much,

 

Costin Alupului

More information about the freebsd-questions mailing list