On Wed, Mar 25, 2015 at 9:25 AM, Petr Topiarz <[email protected]> wrote: > >> >> The direction on the "pass" rule is related to which packets that rule >> matches. So a packet comes in and matches a rule and creates a state >> table entry. If that rule has a queue specifier, the state entry is >> marked with the queue name. >> >> Now when you have any packet matching that state, that queue assignment >> is used; if the outbound interface that this packet will be sent over >> has a queue with that name, traffic will be queued. >> >> > > OK, so do you suggest that inbound traffic cannot be shaped? If that was > true, then PF after 5.5 release would not be able to do what it was able to > do before with altq. Now that is sad...
Your "pass in all" and "pass out all" rules at the top are not helping. Most likely, the packets are not matching the right pass rules. Start by defining your queues and a default deny rule: queue rootq on $ext_if bandwidth 40M, min 40M, max 40M queue rootq on $int_if bandwidth 40M, min 40M, max 40M queue http parent rootq bandwidth 6M, min 1M, max 7M queue std parent rootq bandwidth 1M, min 500K, max 2M default block log Now, you need two rules for traffic crossing your firewall; one inbound and one outbound. You should be able to specify the queue just on the inbound rule. It will not queue the packets that are inbound (this was never possible), but it will create a state for the inbound interface that will correctly queue response packets, and it should also use that same queue on the outbound interface as long as the outbound rule does not specify some other queue to use: pass in quick on $ext_if proto tcp to 192.168.8.5 set queue http pass out quick on $int_if proto tcp to 192.168.8.5 I'm sure I'll be corrected if anything I said is wrong, but this is my understanding of how the new queueing system (and set prio?) works. I can't figure out from your examples what your actual network layout is, so you may need to adjust these rules as needed. I'll agree that the documentation on the new queueing system is a bit lacking, so you just have to experiment with this stuff.
