[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: State/queue question




On Apr 23, 2005, at 9:06 AM, Henning Brauer wrote:


* J. Martin Petersen <[email protected]> [2005-04-23 10:49]:
Henning Brauer wrote:
* Kelley Reynolds <[email protected]> [2005-03-21 19:40]:

This has come up a few times on the list, and I was wondering how difficult it would be to alter the pf syntax so that a stateful rule on a firewall could apply queues on two interfaces so that bidirectional queueing can be done while tracking state?

I believe (and please correct me if I'm wrong) that to get bi-directional queueing, one must have a seperate rule per interface and not keep state since that would be a single rule (this limiting the state-associated packets to a single queue, one interface or the other)


huh? you should create state and just create queues by the same names n
different interfaces, it'll Just Work

Was this introduced recently?

no.


When I try something something like

	altq on $mci_if cbq bandwidth 28Mb qlimit $qs queue { serv bulk}
	  queue serv bandwidth 20% priority 6 cbq(borrow)
	  queue bulk bandwidth 80% priority 5 cbq(borrow)

	altq on $mbh_if cbq bandwidth 28Mb qlimit $qs queue { serv bulk}
	  queue serv bandwidth 20% priority 6 cbq(borrow)
	  queue bulk bandwidth 80% priority 5 cbq(borrow)

you are specifying teh queues twice.


altq on { $mci_if $mbh_if } cbq bandwidth 28Mb qlimit $qs queue { serv bulk}
queue serv bandwidth 20% priority 6 cbq(borrow)
queue bulk bandwidth 80% priority 5 cbq(borrow)


will work, or you can limit queue specifications to a certain
interfaces as well, aka queue blah on $someinterface

I misunderstood how this worked as well (and in fact, I have changes to the documentation pending for the FAQ for this exact question as per Henning's owed favor) but it's all very simple.


Making a queue is exactly like creating a rule. It assumes all interfaces unless you specify an interface like:

queue serv on $mci_if bandwidth ...
queue serv on $mbh_if bandwidth ...

Now, if you want the attributes of those queues to be the same (same bandwidth, same priority, same whatever), you can just omit the interface bit and it'll make a queue with said names on every interface.

Now for the truly useful part which is what I was missing: When you assign a packet to a queue in a rule, you aren't actually assigning it to a queue. All you are doing is giving it a name. For example, you are stating "If there is a queue called <queuename> when I'm going out an interface, apply it. If not, apply me to the default queue"

So when traveling out $mbh_if, if there is queue matching the queue assigned to the packet, it will go there. Likewise, when traveling out $mci_if, if there is a queue name matching the queue assigned to the packet, it will go there or failing that, the default queue.

To doubly reiterate in a slightly different way:

pass in on $mci_if keep state queue foo

All you have done there is attach the name 'foo' to packets matching this rule. You've done no queueing, no nothing. The check for queueing comes later, when this packet is exiting an interface, at which point it says "Is there a queue named 'foo' on this interface? If so, go into it. If not, go into the default queue."

There is naturally a more technical way of describing this behavior, but you'll have to ask somebody else for that if you really want it.

Kelley Reynolds
President
Inside Systems, Inc.