Hello,
gene...@nativemethods.com (J Doe), 2023.01.14 (Sat) 23:24 (CET):
> On 2023-01-14 11:37, Marcus MERIGHI wrote:
>
> > Hello,
> >
> > not an answer but a little input below...
> >
> > gene...@nativemethods.com (J Doe), 2023.01.14 (Sat) 00:09 (CET):
> > > I have a question regarding queuing and priorities in pf.conf on
> > > OpenBSD 7.2.
> > >
> > > I have a basic gateway configuration - a PC with two NIC's (em0, em1). One
> > > interface is connected to the LAN and one interface is connected to the
> > > Internet with a public IP and with a bandwidth of approximately 60 Mbps
> > > down
> > > and 10 Mbps up. I perform NAT on the gateway.
> > >
> > > In terms of queuing, I'd like to make use of the following:
> > >
> > > ** Queue using HFSC for all outbound traffic
> > >
> > > ** Flow manager for the queue for fair queue utilization
> > >
> > > ** For TCP traffic I would like to use two priorities - one for TCP data
> > > packets and one for TCP ACKs (as mentioned in Peter Hansteen's "Book of pf
> > > 3rd edition" in chapter 7)
> > >
> > > Current configuration pf.conf:
> > >
> > > ext_if = "em0"
> > > int_if = "em1"
> > >
> > > set skip on lo0
> > >
> > > queue rootq on $ext_if bandwidth 55M max 55M
> > > queue dataq parent rootq bandwidth 55M max 55M flows 1024 \
> > > qlimit 1024 default
> > >
> > > match out on $ext_if inet from ($int_if:network) to any nat-to ($ext_if:0)
> > >
> > > block all
> > >
> > > match in on $int_if inet tag LAN
> > > match out on $ext_if inet queue dataq set prio (5, 6) tag INTERNET
> > >
> > > pass in quick on $int_if tagged LAN
pass in quick on $int_if tagged LAN queue dataq
^^^^^^^^^^^
This way the packets get assigned to the queue when entering the
machine's network handling code. And are treated accordingly when
leaving on the outbound interface.
(Avoid "quick", unless you want headaches as the ruleset grows.)
> > > pass out quick on $ext_if tagged INTERNET
> >
> > In this message
> >
> > https://marc.info/?l=openbsd-misc&m=164521874319122
> >
> > sthen@ said
> >
> > The queue is attached to a firewall state and all packets
> > matching that state will pick it up. So if you have a named
> > queue present on em0 but not em1, and match with "pass out on
> > em1 set queue foo", packets transmitted on em1 will not be
> > queued, but packets matching that state (return packets via em0)
> > _will_ be queued.
> >
> > Marcus
>
> Hi Marcus,
>
> Thank you for your reply and thank you for the link to MARC.
>
> Based on what the referenced message states, am I not okay ? I have a
> single queue and it is bound to a single NIC $ext_if. The pass rule that
> allows the traffic to leave $ext_if should create the state for queuing of
> outbound packets, should it not ?
>
> Or, are you saying that the queue assignment belongs on the pass rule and
> not the match statement ?
The queue assignment should happen as soon as the pf rules create the
state, i.e. on the inbound interface, see the example above.
Marcus
> So instead of:
>
> match out on $ext_if inet queue dataq set prio (5, 6) tag INTERNET
> . . .
> pass out quick on $ext_if tagged INTERNET
>
> ... I could use:
>
> match out on $ext_if inet tag INTERNET
> . . .
> pass out quick on $ext_if set queue dataq set prio (5, 6) \
> tagged INTERNET
> - J
