[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ALTQ ack prioritization



Hi all:
I'm trying to implement Daniel's pri/ack configuration, but something's
not working properly.  I can see that my download dropped as expected
during uploads, even though I have the optimizations enabled.  I checked
my "pfctl -vvss" output to ensure that my upload state was hitting the
correct rule (it was).  Anyone have any ideas what I'm missing here?
TIA,
-J.
-bash-2.05b# pfctl -vsq
queue q_pri priority 7
[ pkts:          0  bytes:          0  dropped pkts:      0 bytes:     
0 ]
[ qlength:   0/ 50 ]
queue q_def priq( default )
[ pkts:     736613  bytes:   86078294  dropped pkts:     73 bytes: 
61258 ]
[ qlength:  30/ 50 ]
# Relevant state entry for upload
tcp 192.168.0.42:38006 -> xxx.xxx.xxx.xxx:31486 ->
yyy.yyy.yyy.yyy:22       ESTABLISHED:ESTABLISHED
   [4238399744 + 46336] wscale 0  [3625931648 + 10304] wscale 0
   age 00:00:44, expires in 05:00:00, 625 pkts, 559407 bytes, rule 68
# Rule affecting upload
@68 pass out on dc0 proto tcp all keep state queue(q_def, q_pri)
# pf.conf
### Variables ###
ext_if="dc0"
int_if="dc1"
int_net="dc1/24"
webserver="192.168.0.10"
fw_services="{ ssh, smtp, 444, 5001 }"
web_services="{ http, ssh }"
out_services="{ http, https, ssh, pop3, pop3s, smtp, ftp, domain,
bootps, ntp, 444, 465, 5190 }"
bad_blocks="{ 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12,
169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 }"
### Set Options ###
set limit { frags 32000, states 65000 }
set loginterface $ext_if
set optimization aggressive
### Packet Normalization ###
scrub in all
scrub out all random-id
### ALTQ ###
altq on $ext_if priq bandwidth 120Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
### Start NAT rules ###
# Normal Rules
nat on $ext_if from $int_net to any -> ($ext_if)
rdr on $ext_if proto tcp from any to ($ext_if) port 4275 -> $webserver
port 80
rdr on $ext_if proto tcp from any to ($ext_if) port 4272 -> $webserver
port 22
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
# Bounceback - TCP Reflection
rdr on $int_if proto tcp from $int_net to ($ext_if) port 4275 ->
$webserver port 80
no nat on $int_if proto tcp from ($int_if) to $int_net
nat on $int_if proto tcp from $int_net to $webserver port 80 ->
($int_if)
### Start Filter Rules
# basic block-all
block out log on $ext_if all
block in log on $ext_if all
block return-rst  out log on $ext_if proto tcp all
block return-rst  in  log on $ext_if proto tcp all
block return-icmp out log on $ext_if proto udp all
block return-icmp in  log on $ext_if proto udp all
block in quick on $ext_if proto igmp all
# block various noisy traffic without logging
block in quick on $ext_if from 255.255.255.255/32 to any
block in quick on $ext_if from any to 255.255.255.255/32
block in quick proto { tcp, udp } from any to any port { 135, 137, 138,
139, 445 }
# block any incoming spoofed
block in quick on $ext_if from any to 224.0.0.1		# Adelphia igmp query
block in log quick on $ext_if from $bad_blocks to any
block in log quick on $ext_if from any to $bad_blocks
block in log on $ext_if from any to 192.168.0.0/24
# allow certain icmp connections
pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass out on $int_if proto icmp all keep state
pass in on $int_if proto icmp all keep state
# allow certain udp connections
pass out on $ext_if proto udp all keep state
pass out on $int_if proto udp all user root keep state
pass in on $int_if proto udp from any to any port $out_services keep
state
# allow certain tcp connections
#pass out on $ext_if proto tcp all keep state
pass out on $ext_if proto tcp all keep state queue (q_def, q_pri)
#pass in on $ext_if inet proto tcp from any to ($ext_if) port
$fw_services flags S/SA keep state
pass in  on $ext_if inet proto tcp from any to ($ext_if) port
$fw_services flags S/SA keep state queue (q_def, q_pri)
pass in on $ext_if proto tcp from any to $webserver port $web_services
flags S/SA keep state
pass out on $int_if proto tcp all user root keep state
pass in on $int_if proto tcp from any to any port $out_services modulate
state queue (q_def, q_pri)
# END of pf.rules