Re: Question about pf.conf queues

Sat, 14 Jan 2023 14:24:59 -0800 

On 2023-01-14 11:37, Marcus MERIGHI wrote:


Hello,

not an answer but a little input below...

gene...@nativemethods.com (J Doe), 2023.01.14 (Sat) 00:09 (CET):

I have a question regarding queuing and priorities in pf.conf on
OpenBSD 7.2.

I have a basic gateway configuration - a PC with two NIC's (em0, em1). One
interface is connected to the LAN and one interface is connected to the
Internet with a public IP and with a bandwidth of approximately 60 Mbps down
and 10 Mbps up.  I perform NAT on the gateway.

In terms of queuing, I'd like to make use of the following:

** Queue using HFSC for all outbound traffic

** Flow manager for the queue for fair queue utilization

** For TCP traffic I would like to use two priorities - one for TCP data
packets and one for TCP ACKs (as mentioned in Peter Hansteen's "Book of pf
3rd edition" in chapter 7)

Current configuration pf.conf:

ext_if = "em0"
int_if = "em1"

set skip on lo0

queue rootq on $ext_if bandwidth 55M max 55M
     queue dataq parent rootq bandwidth 55M max 55M flows 1024 \
         qlimit 1024 default

match out on $ext_if inet from ($int_if:network) to any nat-to ($ext_if:0)

block all

match in  on $int_if inet tag LAN
match out on $ext_if inet queue dataq set prio (5, 6) tag INTERNET

pass in  quick on $int_if tagged LAN
pass out quick on $ext_if tagged INTERNET


In this message

         https://marc.info/?l=openbsd-misc&m=164521874319122

sthen@ said

         The queue is attached to a firewall state and all packets
         matching that state will pick it up. So if you have a named
         queue present on em0 but not em1, and match with "pass out on
         em1 set queue foo", packets transmitted on em1 will not be
         queued, but packets matching that state (return packets via em0)
         _will_ be queued.

Marcus


Hi Marcus,

Thank you for your reply and thank you for the link to MARC.
Based on what the referenced message states, am I not okay ? I have a single queue and it is bound to a single NIC $ext_if. The pass rule that allows the traffic to leave $ext_if should create the state for queuing of outbound packets, should it not ?
Or, are you saying that the queue assignment belongs on the pass rule and not the match statement ? 

So instead of:

    match out on $ext_if inet queue dataq set prio (5, 6) tag INTERNET
        . . .
    pass out quick on $ext_if tagged INTERNET

... I could use:

    match out on $ext_if inet tag INTERNET
        . . .
    pass out quick on $ext_if set queue dataq set prio (5, 6) \
        tagged INTERNET

- J

Reply via email to