[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

priq-queues for tcp_ack and p2p



Hi,
I'm a proud owner of Jacek's pf-book and some official 
OpenBSD CDs (2.8 through 3.6) but still a pf-newbie.
I'm trying to combine Jacek's altq priq example with
Daniel's http://www.benzedrine.cx/ackpri.html to give
all tcp-ack and ssh packets the highest priorities and
p2p-downloads the lowest, but unfortunately I'm stuck
and even after some additional reading feel, that I 
need some external advice.
I'm using OpenBSD 3.4 (I'm going to upgrade soon) on 
a PC connected to ADSL (768/128Kb) - dmesg is attached.
Here is the pf.conf I'm trying to use. For some reason
I'm able to surf and fetch/send mail only if I comment
out the rules for the www- and mail-queues as below:
int_if		= rl0
ext_if		= tun0
#table <private> {127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8}
set block-policy return
set loginterface $ext_if
scrub in on $ext_if all
scrub out on $ext_if all random-id
altq on $ext_if priq bandwidth 100Kb queue \
	{tcp_ack, dns, ssh_login, mail, www, ssh_bulk, ftp, p2p}
queue tcp_ack	priority 12 priq(red)
queue dns	priority 11 priq(red)
queue ssh_login	priority 10 priq(red)
queue mail	priority  9 priq(red)
queue www	priority  8 priq(red)
queue ssh_bulk	priority  7 priq(red)
queue ftp	priority  6 priq(red)
queue p2p	priority  5 priq(default)
nat on $ext_if from $int_if:network to any -> ($ext_if)
#rdr on $int_if proto tcp from $int_if:network to any \
#	port ftp -> 127.0.0.1 port 8021
pass in all
pass out all
#block drop in  log quick on $ext_if from <private> to any
#block drop out log quick on $ext_if from any to <private>
pass out quick on $ext_if proto udp from any to any \
	port domain keep state queue dns
pass out quick on $ext_if proto tcp from any to any \
	port domain synproxy state queue dns
pass out quick on $ext_if proto tcp from any to any \
	port {ssh telnet} synproxy state queue(ssh_bulk, ssh_login)
#pass out quick on $ext_if proto tcp from any to any \
	#port {smtp pop3 imaps} synproxy state queue(mail, tcp_ack)
#pass out quick on $ext_if proto tcp from any to any \
	#port {http https} synproxy state queue(www, tcp_ack)
pass out quick on $ext_if proto tcp from any to any \
	port {ftp ftp-data} synproxy state queue(ftp, tcp_ack)
	
pass out on $ext_if from any to any keep state queue(p2p, tcp_ack)
I'm run my own named on the same host and it seems to work ok - 
it resolves hostnames and in the "pfctl -vs queue" output I can 
see how the packets-counter of the dns-queue increases for each
nslookup request on the command line:
pref:alex {1055} nslookup www.google.de
Server:         192.168.1.1
Address:        192.168.1.1#53
Non-authoritative answer:
www.google.de   canonical name = www.google.com.
www.google.com  canonical name = www.google.akadns.net.
Name:   www.google.akadns.net
Address: 66.102.11.99
Name:   www.google.akadns.net
Address: 66.102.11.104
pref:alex {1069} sudo pfctl -vs queue
queue tcp_ack priority 12 priq( red ) 
  [ pkts:       1881  bytes:      84700  dropped pkts:      0 bytes:      0 ]
  [ qlength:   2/ 50 ]
queue dns priority 11 priq( red ) 
  [ pkts:          2  bytes:        148  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue ssh_login priority 10 priq( red ) 
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue mail priority 9 priq( red ) 
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue www priority 8 priq( red ) 
  [ pkts:          4  bytes:        192  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue ssh_bulk priority 7 priq( red ) 
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue ftp priority 6 priq( red ) 
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue p2p priority 5 priq( default ) 
  [ pkts:       1426  bytes:     758880  dropped pkts:     56 bytes:   5814 ]
  [ qlength:   0/ 50 ]
Also I see above the packets in the www-queue, when I try to load
some web pages (BTW I use a squid-package on the same host), but
the pages just don't load - neither with lynx, nor with firefox.
And the mail is not being fetched/sent until I comment the mail-rule.
For some strange reason the bittorrent continues running just fine.
I also tried stopping it, but it doesn't help www and mail.
pref:alex {1067} sudo pfctl -vs rule
scrub in on tun0 all fragment reassemble
  [ Evaluations: 6710      Packets: 3580      Bytes: 0           States: 0     ]
scrub out on tun0 all random-id fragment reassemble
  [ Evaluations: 2950      Packets: 2950      Bytes: 0           States: 0     ]
pass in all
  [ Evaluations: 293       Packets: 130       Bytes: 8122        States: 0     ]
pass out all
  [ Evaluations: 296       Packets: 59        Bytes: 8379        States: 0     ]
pass out quick on tun0 proto udp from any to any port = domain keep state queue dns
  [ Evaluations: 165       Packets: 0         Bytes: 0           States: 0     ]
pass out quick on tun0 proto tcp from any to any port = domain synproxy state queue dns
  [ Evaluations: 41        Packets: 0         Bytes: 0           States: 0     ]
pass out quick on tun0 proto tcp from any to any port = ssh synproxy state queue(ssh_bulk, ssh_login)
  [ Evaluations: 103       Packets: 0         Bytes: 0           States: 0     ]
pass out quick on tun0 proto tcp from any to any port = telnet synproxy state queue(ssh_bulk, ssh_login)
  [ Evaluations: 38        Packets: 0         Bytes: 0           States: 0     ]
pass out quick on tun0 proto tcp from any to any port = smtp synproxy state queue(mail, tcp_ack)
  [ Evaluations: 38        Packets: 0         Bytes: 0           States: 0     ]
pass out quick on tun0 proto tcp from any to any port = pop3 synproxy state queue(mail, tcp_ack)
  [ Evaluations: 38        Packets: 0         Bytes: 0           States: 0     ]
pass out quick on tun0 proto tcp from any to any port = imaps synproxy state queue(mail, tcp_ack)
  [ Evaluations: 38        Packets: 0         Bytes: 0           States: 0     ]
pass out quick on tun0 proto tcp from any to any port = www synproxy state queue(www, tcp_ack)
  [ Evaluations: 38        Packets: 1         Bytes: 64          States: 1     ]
pass out quick on tun0 proto tcp from any to any port = https synproxy state queue(www, tcp_ack)
  [ Evaluations: 37        Packets: 0         Bytes: 0           States: 0     ]
pass out quick on tun0 proto tcp from any to any port = ftp synproxy state queue(ftp, tcp_ack)
  [ Evaluations: 37        Packets: 0         Bytes: 0           States: 0     ]
pass out quick on tun0 proto tcp from any to any port = ftp-data synproxy state queue(ftp, tcp_ack)
  [ Evaluations: 37        Packets: 0         Bytes: 0           States: 0     ]
pass out on tun0 all keep state queue(p2p, tcp_ack)
  [ Evaluations: 105       Packets: 542       Bytes: 59056       States: 102   ]
Do you have any ideas, what's wrong or need more information?
Regards
Alex
PS: The dmesg and some other information for my HP Kayak PC:
pref:alex {1077} uname -a
OpenBSD pref.my.domain 3.4 GENERIC.pref#4 i386
pref:alex {1078} uptime
 9:22PM  up 3 days, 23:07, 2 users, load averages: 0.73, 0.69, 0.64
pref:alex {1080} df
Filesystem  1K-blocks     Used    Avail Capacity  Mounted on
/dev/wd0a     4126430  1676666  2243444    43%    /
/dev/wd0e    29688092  9363238 18840450    33%    /home
/dev/wd0d     4126462   906640  3013500    23%    /var
pref:alex {1081} tail /var/log/messages
Dec 20 19:15:56 pref named[16449]: creating IPv4 interface tun0 failed; interface ignored
Dec 20 19:58:10 pref NTP: Mon Dec 20 19:58:10 UTC 2004 
Dec 20 19:58:10 pref NTP: rdate: adjust local clock by -0.197594 seconds 
Dec 20 20:15:56 pref named[16449]: could not listen on UDP socket: permission denied
Dec 20 20:15:56 pref named[16449]: creating IPv4 interface tun0 failed; interface ignored
Dec 20 20:58:04 pref NTP: Mon Dec 20 20:58:03 UTC 2004 
Dec 20 20:58:04 pref NTP: rdate: adjust local clock by -0.247081 seconds 
Dec 20 21:00:02 pref pflogd[3380]: Reopened logfile
Dec 20 21:15:56 pref named[16449]: could not listen on UDP socket: permission denied
Dec 20 21:15:56 pref named[16449]: creating IPv4 interface tun0 failed; interface ignored
pref:alex {1082} dmesg
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arplookup: unable to enter address for 192.168.1.2
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arplookup: unable to enter address for 192.168.1.32
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arplookup: unable to enter address for 192.168.1.32
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arplookup: unable to enter address for 192.168.1.32
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
arpresolve: can't allocate llinfo
le1: device timeout
syncing disks... done
rebooting...
OpenBSD 3.4-stable (GENERIC.pref) #4: Mon Mar 22 14:47:59 UTC 2004
    [email protected]:/sys/arch/i386/compile/GENERIC.pref
cpu0: Intel Pentium II (Klamath) ("GenuineIntel" 686-class, 512KB L2 cache) 267 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,MMX
real mem  = 335130624 (327276K)
avail mem = 304209920 (297080K)
using 4116 buffers containing 16859136 bytes (16464K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(8a) BIOS, date 10/02/98, BIOS32 rev. 0 @ 0xfd79d
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev. 2.1 @ 0xfd730/0x8d0
pcibios0: PCI IRQ Routing Table rev. 1.0 @ 0xfdf40/160 (8 entries)
pcibios0: PCI Interrupt Router at 000:04:0 ("Intel 82371FB PCI-ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
WARNING: can't reserve area for I/O APIC.
bios0: ROM list: 0xc0000/0x8000
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443LX PCI-AGP" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82443LX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "Cirrus Logic CL-GD5465" rev 0x03
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 4 function 0 "Intel 82371AB PIIX4 ISA" rev 0x01
pciide0 at pci0 dev 4 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <WDC WD400EB-11CPF0>
wd0: 16-sector PIO, LBA, 38166MB, 16383 cyl, 16 head, 63 sec, 78165360 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <MITSUMI, CD-ROM !B, G01> SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 3
uhci0 at pci0 dev 4 function 2 "Intel 82371AB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
"Intel 82371AB Power Mgmt" rev 0x01 at pci0 dev 4 function 3 not configured
rl0 at pci0 dev 6 function 0 "Realtek 8139" rev 0x10: irq 10 address 00:50:fc:a2:72:e2
rlphy0 at rl0 phy 0: RTL internal phy
le1 at pci0 dev 7 function 0 "AMD 79c970 PCnet-PCI LANCE" rev 0x25: irq 9
le1: address 00:60:b0:ed:cb:d3
le1: 8 receive buffers, 2 transmit buffers
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask c840 netmask ce40 ttymask de42
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
le1: device timeout
le1: device timeout
le1: device timeout
le1: device timeout