I solved my case in a good way, but I'm currently not using states. I
think that a general, intuitive and efficient solution could be useful.
The problem: queue assignment of "back" packets of TCP flows when "keep
state" is used and queues are used in both directions. Currently the
only solution seems to be to (almost) replicate the same rules for both
interfaces ("in" and "out"). So the same rules are evaluated two time:
more use of CPU and more rules to maintain.
I propose to extend the current syntax to permit to specify the queue(s)
to use for "back" packets (allowed only if "keep state" is used). The
syntax of the "queue" keyword could be extend or a new keyword
(something like "back-queue") could be introduced.
Thanks.
P.S.
I understand that it's not common to have queues in both directions, but
when it is the case, this feature could be very useful.
P.P.S.
No, I don't have enough knowledge of PF and C programming skills to
implement this feature by myself, but I thought that It could be useful
to propose a possible solution.
Federico Giannici wrote:
Daniel Hartmeier wrote:
For queueing in pf, the direction of the packet simply doesn't matter.
I guess your setup would be like this. You have two interfaces and are
forwarding connections through both. On each interface, you have two
queues (one high priority, one low priority), that's four distinct
queue.
int_if pf ext_if
q_int_low q_ext_low
q_int_pri q_ext_pri
Your assumption is correct.
One connection through the firewall passes through each interface,
matches a rule on each interface, creates state on each interface.
That's two separate matching rule and two separate states per
connection.
Say, the initial SYN of a TCP connection goes from the internal to the
external side. The SYN first passes in on int_if, creates state with
option 'queue (q_int_low, q_int_pri)' on int_if. Then the SYN passes out
on ext_if, and creates second state with option 'queue (q_ext_low,
q_ext_pri)'.
Now there can be empty ACKs flowing in both directions, back and forth.
Those that flow in the same direction as the initial SYN (from int to
ext) will match the ext state last, hence get queued in q_ext_pri/low.
The packets flowing in reverse will match the state on int last, and
get queued in q_int_pri/low.
OK, but this is a "trick".
Moreover it force me to duplicate all rules, and double the CPU usage.
Currently I filter packets only when they ENTER the firewall NICs, only
for the "in" condition, not "out". I find it more intuitive and secure.
Anyway, if it is the only solution, I'll try to implement it. But I
think it is really not intuitive. For example, the queue example in the
"pf.cont" man page, seems wrong to me: it applies the filters only to
the output of one NIC, so the ACKs in the back direction are queued to
the same queues of the forth direction!
What happens in this case?
Am I still missing something?
Thanks.
--
___________________________________________________
__
|- [EMAIL PROTECTED]
|ederico Giannici http://www.neomedia.it
___________________________________________________
