[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 3.3 - NAT w/queue { in/out }



LONG-VIEW
#########
# Queue #
#########
#ext_if
queue root_fxp0 bandwidth 1Mb priority 0 qlimit 100 cbq( wrr root ) 
{tech0, sonic0, std0}
queue  tech0 bandwidth 100Kb
queue  sonic0 bandwidth 200Kb
queue  std0 bandwidth 100Kb cbq( default )
#int_if
queue root_fxp1 bandwidth 1Mb priority 0 qlimit 100 cbq( wrr root ) 
{tech1, std1}
queue  tech1 bandwidth 100Kb
queue  std1 bandwidth 20Kb cbq( default )
##########################
# Reduced my rules to 7  #
##########################  
beast.bright.net:/home/coldiso% pfctl -s rules
scrub in all fragment reassemble
block drop log-all on fxp0 all label "block in on ext_if:default deny"
pass out log-all on fxp1 all queue std1
pass out log-all on fxp0 all queue std0   
pass out log-all on fxp0 inet from 216.201.43.114 to any keep state queue sonic0
pass in log quick on fxp0 inet proto tcp from <man_hosts> to 
216.201.43.114 port = ssh flags S/SA modulate state (tcp.established 518400) label "tcp$
pass in log quick on fxp0 inet proto icmp from <man_hosts> to 
216.201.43.114 icmp-type echoreq code 0 keep state label "icmp managment_if from man_h$
pass in log-all on fxp1 from <tech_net> to any queue tech0
pass out log-all on fxp1 from any to <tech_net> queue tech1
@0 scrub in all fragment reassemble
[ Evaluations: 3504      Packets: 1682      Bytes: 0           States: 0     
]
@0 block drop log-all on fxp0 all label "block in on ext_if:default deny"  
[ Evaluations: 197       Packets: 1         Bytes: 1500        States: 0     
]
@1 pass out log-all on fxp1 all queue std1
[ Evaluations: 197       Packets: 0         Bytes: 0           States: 0     
]
@2 pass out log-all on fxp0 all queue std0
[ Evaluations: 121       Packets: 0         Bytes: 0           States: 0     
]
@3 pass out log-all on fxp0 inet from 216.201.43.114 to any keep state 
queue sonic0
[ Evaluations: 1         Packets: 195       Bytes: 175698      States: 1     
]
@4 pass in log quick on fxp0 inet proto tcp from <man_hosts:2> to 216.201.43.114 port = ssh flags S/SA modulate state(tcp.established 518400) label "tcp managment_if from man_hosts"
[ Evaluations: 78        Packets: 0         Bytes: 0           States: 0     
]
@5 pass in log quick on fxp0 inet proto icmp from <man_hosts:2> to 216.201.43.114 icmp-type echoreq code 0 keep state label
"icmp managment_if from man_hosts"
[ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     
]
@6 pass in log-all on fxp1 from <tech_net:1> to any queue tech0
[ Evaluations: 196       Packets: 76        Bytes: 5045        States: 0     
]
@7 pass out log-all on fxp1 from any to <tech_net:1> queue tech1
[ Evaluations: 196       Packets: 119       Bytes: 170653      States: 0     
]
--------------------------------------------------------------------------------------------------
#### NOTES ##### 
Even though Rule 6 was used i still have nothing in my
tech0 queue below - note that rule 7 and the queue that corresponds 
{ tech1 } does queue - note also no "keep state" for the rule
#################
beast.bright.net:/home/coldiso% pfctl -vs queue
queue root_fxp0 bandwidth 1Mb priority 0 qlimit 100 cbq( wrr root ) 
{tech0, sonic0, std0}
[ pkts:        693  bytes:     187339  dropped pkts:      0 bytes:      0 
]   
[ qlength:   0/100  borrows:      0  suspends:      0 ]
queue  tech0 bandwidth 100Kb
[ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 
]   
[ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  sonic0 bandwidth 200Kb
[ pkts:         75  bytes:       6043  dropped pkts:      0 bytes:      0 
]
[ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  std0 bandwidth 100Kb cbq( default )
[ pkts:        618  bytes:     181296  dropped pkts:      0 bytes:      0 
]
[ qlength:   0/ 50  borrows:      0  suspends:     30 ]
queue root_fxp1 bandwidth 1Mb priority 0 qlimit 100 cbq( wrr root ) 
{tech1, std1}
[ pkts:        118  bytes:     172253  dropped pkts:      0 bytes:      0 
]
[ qlength:   0/100  borrows:      0  suspends:      0 ]
queue  tech1 bandwidth 100Kb
[ pkts:        118  bytes:     172253  dropped pkts:      0 bytes:      0 
]
[ qlength:   0/ 50  borrows:      0  suspends:     54 ]
queue  std1 bandwidth 20Kb cbq( default )
[ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 
]
[ qlength:   0/ 50  borrows:      0  suspends:      0 ]
------------------------------------------------------------------------------------------------------------------------
#### NOTES  #####
What happens when I make rule 6 and 7 "keep state"!?  - rule 6 gets used - 
still no queue though (below) and nothing
happens for rule 7 :(  so now I lose my queue for the download side as 
well.
#################
beast.bright.net:/home/coldiso% pfctl -vvs rules
@0 scrub in all fragment reassemble
[ Evaluations: 776       Packets: 400       Bytes: 0           States: 0     
]
@0 block drop log-all on fxp0 all label "block in on ext_if:default deny"
[ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     
]
@1 pass out log-all on fxp1 all queue std1
[ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     
]
@2 pass out log-all on fxp0 all queue std0
[ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     
]
@3 pass out log-all on fxp0 inet from 216.201.43.114 to any keep state 
queue sonic0
[ Evaluations: 1         Packets: 27        Bytes: 23647       States: 1     
]
@4 pass in log quick on fxp0 inet proto tcp from <man_hosts:2> to 
216.201.43.114 port = ssh flags S/SA modulate state(tcp.established 518400) label "tcp managment_if from man_hosts"
[ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     
]
@5 pass in log quick on fxp0 inet proto icmp from <man_hosts:2> to 
216.201.43.114 icmp-type echoreq code 0 keep state label"icmp managment_if from man_hosts"
[ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     
]
@6 pass in log-all on fxp1 from <tech_net:1> to any keep state queue tech0
[ Evaluations: 1         Packets: 27        Bytes: 23647       States: 1     
]
@7 pass out log-all on fxp1 from any to <tech_net:1> keep state queue 
tech1
[ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     
]
beast.bright.net:/home/coldiso% pfctl -vs queue
queue root_fxp0 bandwidth 1Mb priority 0 qlimit 100 cbq( wrr root ) 
{tech0, sonic0, std0}
[ pkts:        325  bytes:      79874  dropped pkts:      0 bytes:      0 
]
[ qlength:   0/100  borrows:      0  suspends:      0 ]
queue  tech0 bandwidth 100Kb
[ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 
]
[ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  sonic0 bandwidth 200Kb
[ pkts:         20  bytes:       2416  dropped pkts:      0 bytes:      0 
]
[ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  std0 bandwidth 100Kb cbq( default )
[ pkts:        305  bytes:      77458  dropped pkts:      0 bytes:      0 
]
[ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue root_fxp1 bandwidth 1Mb priority 0 qlimit 100 cbq( wrr root ) 
{tech1, std1}
[ pkts:         31  bytes:      41874  dropped pkts:      0 bytes:      0 
]
[ qlength:   0/100  borrows:      0  suspends:      0 ]
queue  tech1 bandwidth 100Kb
[ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 
] 
[ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  std1 bandwidth 20Kb cbq( default )
[ pkts:         31  bytes:      41874  dropped pkts:      0 bytes:      0 
]
[ qlength:  17/ 50  borrows:      0  suspends:     12 ]
------------------------------------------------------------------------------------------------------------------------
#### NOTES  #####
I then try "quick" on line 6 and 7 and remove the keep state.. i get rule 
matches for 6 & 7 but nothing in the queue.
#################
beast.bright.net:/home/coldiso% pfctl -vs rules
scrub in all fragment reassemble
[ Evaluations: 2950      Packets: 1382      Bytes: 0           States: 0     
]
block drop log-all on fxp0 all label "block in on ext_if:default deny"
[ Evaluations: 326       Packets: 0         Bytes: 0           States: 0     
]
pass out log-all on fxp1 all queue std1
[ Evaluations: 326       Packets: 0         Bytes: 0           States: 0     
]
pass out log-all on fxp0 all queue std0
[ Evaluations: 188       Packets: 0         Bytes: 0           States: 0     
]
pass out log-all on fxp0 inet from 216.201.43.114 to any keep state queue 
sonic0
[ Evaluations: 7         Packets: 319       Bytes: 248259      States: 7     
]
pass in log quick on fxp0 inet proto tcp from <man_hosts> to 216.201.43.114 port = ssh flags S/SA modulate state
(tcp.established 518400) label "tcp managment_if from man_hosts"
[ Evaluations: 145       Packets: 0         Bytes: 0           States: 0     
]
pass in log quick on fxp0 inet proto icmp from <man_hosts> to 
216.201.43.114 icmp-type echoreq code 0 keep state label "icmpmanagment_if from man_hosts"
[ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     
]
pass in log-all quick on fxp1 from <tech_net> to any queue tech0
[ Evaluations: 319       Packets: 138       Bytes: 12934       States: 0     
]
pass out log-all quick on fxp1 from any to <tech_net> queue tech1
[ Evaluations: 188       Packets: 181       Bytes: 235325      States: 0     
]
beast.bright.net:/home/coldiso% pfctl -vs q
queue root_fxp0 bandwidth 1Mb priority 0 qlimit 100 cbq( wrr root ) 
{tech0, sonic0, std0}
[ pkts:        773  bytes:     248724  dropped pkts:      0 bytes:      0 
]
[ qlength:   0/100  borrows:      0  suspends:      0 ]
queue  tech0 bandwidth 100Kb
[ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 
]
[ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  sonic0 bandwidth 200Kb
[ pkts:        177  bytes:      17440  dropped pkts:      0 bytes:      0 
]
[ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  std0 bandwidth 100Kb cbq( default )
[ pkts:        596  bytes:     231284  dropped pkts:      1 bytes:    630 
]
[ qlength:  10/ 50  borrows:      0  suspends:     51 ]
queue root_fxp1 bandwidth 1Mb priority 0 qlimit 100 cbq( wrr root ) 
{tech1, std1}
[ pkts:        225  bytes:     303027  dropped pkts:      0 bytes:      0 
]
[ qlength:   0/100  borrows:      0  suspends:      0 ]
queue  tech1 bandwidth 100Kb
[ pkts:        224  bytes:     302961  dropped pkts:      0 bytes:      0 
]
[ qlength:  44/ 50  borrows:      0  suspends:     97 ]
queue  std1 bandwidth 20Kb cbq( default )
[ pkts:          1  bytes:         66  dropped pkts:      0 bytes:      0 
]
[ qlength:   0/ 50  borrows:      0  suspends:      0 ]
I am installing the latest snapshot { May  8 } I will play with same rule 
set.
Thanks
Jason Houx