PF + ATLQ on openbsd 4.4

Damian Higgins Mon, 24 Nov 2008 08:31:04 -0800

Hi,

I'm trying to set up a simple packet queueing policy on openbsd 4.4.
These are the PF rules I set up :


~# grep -v \# /etc/pf.conf | grep -v ^$
altq on em1 cbq bandwidth 100Mb queue { ftp,other }
        queue ftp on em1 bandwidth 1Mb priority 0 cbq(ecn)
        queue other on em1 bandwidth 99Mb priority 1 cbq(ecn,default)
nat on em0 from 192.168.110.2 -> 192.168.100.233
pass in quick on em0 from 86.55.8.30 flags any queue ftp
pass all



IP alocation on interfaces :

~# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33160
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:15:17:20:9e:94
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
        status: active
        inet 192.168.100.233 netmask 0xffffff00 broadcast 192.168.100.255
        inet6 fe80::215:17ff:fe20:9e94%em0 prefixlen 64 scopeid 0x1
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:15:17:20:9e:95
        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
        status: active
        inet 192.168.110.1 netmask 0xffffff00 broadcast 192.168.110.255
        inet6 fe80::215:17ff:fe20:9e95%em1 prefixlen 64 scopeid 0x2


The issue that I have is that traffic from 86.55.8.30 doesn't get
matched by the "pass in quick on em0 from 86.55.8.30 flags any queue
ftp" rule and nothing gets queued.

This is a snip of "tcpdump -vv -n -i em0 host 86.55.8.30" after I
loaded the PF rules and started ftp trafic :

19:39:53.074118 86.55.8.30.59355 > 192.168.100.233.51640: .
8429709:8431169(1460) ack 1 win 5840 (DF) (ttl 57, id 34206, len 1500)
19:39:53.074242 86.55.8.30.59355 > 192.168.100.233.51640: .
8431169:8432629(1460) ack 1 win 5840 (DF) (ttl 57, id 34207, len 1500)
19:39:53.074341 192.168.100.233.51640 > 86.55.8.30.59355: . [tcp sum
ok] 1:1(0) ack 8416569 win 65535 <nop,nop,sack 1 {8420949:8422409} >
(DF) (ttl 127, id 14110, len 52)
19:39:53.074367 86.55.8.30.59355 > 192.168.100.233.51640: P
8432629:8434089(1460) ack 1 win 5840 (DF) (ttl 57, id 34208, len 1500)
19:39:53.074491 86.55.8.30.59355 > 192.168.100.233.51640: .
8434089:8435549(1460) ack 1 win 5840 (DF) (ttl 57, id 34209, len 1500)
19:39:53.074594 192.168.100.233.51640 > 86.55.8.30.59355: . [tcp sum
ok] 1:1(0) ack 8416569 win 65535 <nop,nop,sack 2 {8428249:8429709}
{8420949:8422409} > (DF) (ttl 127, id 14120, len 60)
19:39:53.074595 192.168.100.233.51640 > 86.55.8.30.59355: . [tcp sum
ok] 1:1(0) ack 8416569 win 65535 <nop,nop,sack 2 {8428249:8431169}
{8420949:8422409} > (DF) (ttl 127, id 14121, len 60)
19:39:53.074596 192.168.100.233.51640 > 86.55.8.30.59355: . [tcp sum
ok] 1:1(0) ack 8416569 win 65535 <nop,nop,sack 2 {8428249:8432629}
{8420949:8422409} > (DF) (ttl 127, id 14122, len 60)
19:39:53.074615 86.55.8.30.59355 > 192.168.100.233.51640: .
8435549:8437009(1460) ack 1 win 5840 (DF) (ttl 57, id 34210, len 1500)
19:39:53.074739 86.55.8.30.59355 > 192.168.100.233.51640: P
8437009:8438469(1460) ack 1 win 5840 (DF) (ttl 57, id 34211, len 1500)
19:39:53.074838 192.168.100.233.51640 > 86.55.8.30.59355: . [tcp sum
ok] 1:1(0) ack 8416569 win 65535 <nop,nop,sack 2 {8428249:8434089}
{8420949:8422409} > (DF) (ttl 127, id 14140, len 60)
19:39:53.074864 86.55.8.30.59355 > 192.168.100.233.51640: .
8416569:8418029(1460) ack 1 win 5840 (DF) (ttl 57, id 34212, len 1500)
19:39:53.074964 192.168.100.233.51640 > 86.55.8.30.59355: . [tcp sum
ok] 1:1(0) ack 8416569 win 65535 <nop,nop,sack 2 {8428249:8435549}
{8420949:8422409} > (DF) (ttl 127, id 14141, len 60)
19:39:53.074965 192.168.100.233.51640 > 86.55.8.30.59355: . [tcp sum
ok] 1:1(0) ack 8416569 win 65535 <nop,nop,sack 2 {8428249:8437009}
{8420949:8422409} > (DF) (ttl 127, id 14142, len 60)
19:39:53.075211 192.168.100.233.51640 > 86.55.8.30.59355: . [tcp sum
ok] 1:1(0) ack 8416569 win 65535 <nop,nop,sack 2 {8428249:8438469}
{8420949:8422409} > (DF) (ttl 127, id 14145, len 60)
19:39:53.075983 86.55.8.30.59355 > 192.168.100.233.51640: .
8418029:8419489(1460) ack 1 win 5840 (DF) (ttl 57, id 34213, len 1500)
19:39:53.076232 86.55.8.30.59355 > 192.168.100.233.51640: .
8419489:8420949(1460) ack 1 win 5840 (DF) (ttl 57, id 34214, len 1500)
19:39:53.076578 192.168.100.233.51640 > 86.55.8.30.59355: . [tcp sum
ok] 1:1(0) ack 8422409 win 65535 <nop,nop,sack 1 {8428249:8438469} >
(DF) (ttl 127, id 14146, len 52)
19:39:53.077847 86.55.8.30.59355 > 192.168.100.233.51640: .
8439929:8441389(1460) ack 1 win 5840 (DF) (ttl 57, id 34220, len 1500)
19:39:53.078443 192.168.100.233.51640 > 86.55.8.30.59355: . [tcp sum
ok] 1:1(0) ack 8422409 win 65535 <nop,nop,sack 2 {8439929:8441389}
{8428249:8438469} > (DF) (ttl 127, id 14156, len 60)
19:39:53.079712 86.55.8.30.59355 > 192.168.100.233.51640: .
8441389:8442849(1460) ack 1 win 5840 (DF) (ttl 57, id 34221, len 1500)
19:39:53.080307 192.168.100.233.51640 > 86.55.8.30.59355: . [tcp sum
ok] 1:1(0) ack 8422409 win 65535 <nop,nop,sack 2 {8439929:8442849}
{8428249:8438469} > (DF) (ttl 127, id 14157, len 60)



But Packet Filter matched 0 packets :

# pfctl -sr -vv
@0 pass in quick on em0 inet from 86.55.8.30 to any flags any keep
state queue ftp
  [ Evaluations: 102       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 11988 State Creations: 0     ]
@1 pass all flags S/SA keep state
  [ Evaluations: 102       Packets: 16039     Bytes: 17676542    States: 76    ]
  [ Inserted: uid 0 pid 11988 State Creations: 94    ]



Can anyone tell why doesn't the trafic hit the first rule ?



Thanks in advance.

PF + ATLQ on openbsd 4.4

Reply via email to