[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Question about altq implementation in pf

I just took a look at the altq implementation in pf in -current (actually i just
looked at the man page of pf.conf, so if that is outdated, my question would
possibly be as well), and have to say, i really like it. 
I started to think about how to implement altq into our next firewall and ran
across a problem:
Is it possible to use pfs altq implementation with stateful filtering-rules and
asymetric interfaces (e.g. ADSL-style ones)? If i understand it correctly, it is
not, because
1. I can only assign one queue (two considering lowdelay) to one filtering rule. 
2. One queue has only one bandwidth.
3. One statefull rule would match packets in two directions with different
So i see a few possible solutions to this:
1. Do not use stateful filtering at all. 
    I really like statefull filtering and wouldn't like to give it up.
2. Do not use altq on OpenBSD. 
    That really would be shame, now it's implemented into pf in such a nice way.
3. Allow a queue to have two bandwidths 
    I don't know too much about altq, but i think that would be very hard to
    implement, if not outright impossible.
4. Allow at least up to 4 queues assigned to one rule
    That would allow 2 queues each for traffic flowing in the same and in the
    opposite direction of the state-creating packet.
The last solution seems to me the most viable. One could define queues for
incoming and outgoing traffic with different bandwidths and assign these to the
stateful rules.
Is this right? Or am i missing something? Would it be hard to implement?