[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Queuing problem after redirection (rdr)


I have the following network topology:

[ LAN ] <--------> [ OBSD f/w ] <----- DSL -----> [ Internet ]
                                    |                                    \----- > [ DMZ ]

In the DMZ I have a proxy (squid) configured and running properly on
port 3128. I want to make this proxy transparent for the users and also
QoS the outgoing connections to http port 80. Connections irrelevant
to the 80 port should be queued in the dmz_in class. Connections going
to 80 port should be proxied and then throttled through the web_in
queue. The rules on the firewall are (amongst others, the whole ruleset
can be provided on request):

# QoS
altq on $int_if bandwidth 100% cbq queue { internet_in, dmz_in }

queue internet_in bandwidth 512Kb cbq { bulk_in, web_in, std_in, rt_in }
  queue std_in       bandwidth 150Kb cbq(default, borrow)
  queue bulk_in     bandwidth 100Kb priority 0 cbq(borrow)
  queue web_in     bandwidth 150Kb priority 3 cbq(borrow)
  queue rt_in          bandwidth  60Kb   priority 5 cbq(borrow)

queue dmz_in bandwidth 95%

# and further below the rdr rule:

# Proxy redirection for internal hosts
rdr on $int_if proto tcp from <internet_hosts> to any port www ->
$proxy port squid-http

# and filter rules...

# filter rules for $int_if outbound
block out on $int_if all
pass  out on $int_if from any to <internet_hosts> queue std_in
pass  out on $int_if proto tcp from any port ssh to <internet_hosts> \
        queue (bulk_in, rt_in)
pass  out on $int_if proto tcp from any port rdesktop to
<internet_hosts> \
        queue rt_in
pass  quick out on $int_if proto tcp from any port www to
<internet_hosts> \
        queue web_in
pass  out on $int_if proto tcp from $proxy to $internal_net queue dmz_in

The problem is that when I enable rdr all packets go to the proper
queue class except port 80 packets (going through proxy but also go to
std_in queue instead of web_in). When I disable rdr everything works as
expected (class web_in utilized).

I know that translation happens before the filtering, therefore to
queue packets I should look for destination address of the proxy, but
my pass rule is more generic (here is source addr):

pass  quick out on $int_if proto tcp from any port www to
<internet_hosts> \
        queue web_in

which for some reason it does not work.

Anyway since we are getting out of the interface the packet should be
re-translated, and that means it should seem to come from port 80,

Also tried to tag packets:

# Proxy redirection for internet hosts
rdr on $int_if proto tcp from <internet_hosts> to any port www tag WEB
-> $proxy port squid-http
pass  out quick on $int_if proto tcp all tagged WEB keep state queue

But even then the web_in queue is not used!
Before it the same rules as previously are defined...

$pfctl -vsq
queue   web_in bandwidth 150Kb priority 3 cbq( borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:
  0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]

Miscellaneous info:

$ cat /etc/motd | head -1
OpenBSD 3.6-stable (GENERIC) #0: Thu Jan 27 22:51:18 EET 2005

on a sparc64 (Ultra1).

Any insight on why this doesn't work? Is this a bug or am I overlooking
Since I am not a member of the list, would you please be kind and cc me?

Thanks in advance (for reading this huge message):