Re: HFSC and SSH bug ?

Fri, 12 Jan 2007 09:45:46 -0800 

I'm testing ssh coming from outside right now.

With a ssh session I get all the packets going to ExtInAck

pf.conf
ext_if="xl0"

scrub in log all

altq on $ext_if hfsc bandwidth 2000Kb queue { default-Ext-In, sshExtInObsd,
httpExtInObsd, ExtInAck }

queue default-Ext-In bandwidth 20% hfsc(red linkshare 20% default) priority
1
queue sshExtInObsd bandwidth 10% hfsc(red realtime 100Kb) { sshinteractext,
sshbulkext }
        queue sshinteractext bandwidth 50% priority 7  hfsc(red)
        queue sshbulkext bandwidth 50% priority 1  hfsc(red)
queue httpExtInObsd bandwidth 10% hfsc(red linkshare 10%)
queue ExtInAck bandwidth 10% hfsc(red realtime 100Kb)

pass quick on lo0 all

block log all

pass in quick on $ext_if proto tcp to ($ext_if) port ssh flags S/SA keep
state queue (sshbulkext sshinteractext)
pass in quick on $ext_if proto tcp to ($ext_if) port 80 flags S/SA keep
state queue (httpExtInObsd ExtInAck)

pfctl -vvsq
queue root_xl0 bandwidth 2Mb priority 0 {default-Ext-In, sshExtInObsd,
httpExtInObsd, ExtInAck}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:
0 ]
  [ qlength:   0/ 50 ]
  [ measured:     0.0 packets/s, 0 b/s ]
queue  default-Ext-In bandwidth 400Kb hfsc( red default )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:
0 ]
  [ qlength:   0/ 50 ]
  [ measured:     0.0 packets/s, 0 b/s ]
queue  sshExtInObsd bandwidth 200Kb hfsc( red realtime 100Kb )
{sshinteractext, sshbulkext}
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:
0 ]
  [ qlength:   0/ 50 ]
  [ measured:     0.0 packets/s, 0 b/s ]
queue   sshinteractext bandwidth 100Kb priority 7 hfsc( red )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:
0 ]
  [ qlength:   0/ 50 ]
  [ measured:     0.0 packets/s, 0 b/s ]
queue   sshbulkext bandwidth 100Kb hfsc( red )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:
0 ]
  [ qlength:   0/ 50 ]
  [ measured:     0.0 packets/s, 0 b/s ]
queue  httpExtInObsd bandwidth 200Kb hfsc( red )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:
0 ]
  [ qlength:   0/ 50 ]
  [ measured:     0.0 packets/s, 0 b/s ]
queue  ExtInAck bandwidth 200Kb hfsc( red realtime 100Kb )
  [ pkts:        414  bytes:      62180  dropped pkts:      0 bytes:
0 ]
  [ qlength:   0/ 50 ]
  [ measured:     5.7 packets/s, 6.97Kb/s ]

pf.conf
> On 2007/01/12 16:48, [EMAIL PROTECTED] wrote:
>> I try with this pf.conf and the ssh interactive packets still go to
>> the ExtInAck queue but the bulk ssh packets go to the right queue
>> (sshbulkext)
>
> Add the 'flags S/SA' to all your 'pass....keep state' rules and see if
> that helps, also, you don't say which direction you're trying to SSH.
> Your rules are just for SSH connections coming from outside your
> network to the IP address of $ext_if. Is that what you're testing?

Reply via email to