2009/3/11 Leonardo Rodrigues <[email protected]>: > Hi everyone, > > I'm trying to build a PF / ALTQ ruleset that handles traffic between 3 > internal interfaces and 1 external, so that the internal interfaces > can have different priorities on the available bandwidth they can get > from the external interface. I don't know if that's possible with only > ALTQ rules, or if I'll have to use tagging, so I'm trying to > understand some simple setups before. > > While reading the example #2 on the PF user's guide > (http://www.openbsd.org/faq/pf/queueing.html#example2), I came across > the following ruleset: > > > boss = "192.168.0.200" > ... > altq on fxp0 cbq bandwidth 1.5Mb queue { std_ext, www_ext, boss_ext } > ... > queue boss_ext bandwidth 500Kb priority 3 cbq(borrow) > ... > # filter rules for fxp0 outbound > pass out on fxp0 from $boss to any keep state queue boss_ext <<<------- > > > Where fxp0 is the external interface (internet). My question is about > that last rule above. Assuming that NAT is working so that the "boss" > is able to surf the web, and since NAT translations happen before the > filtering rules, then the rule above shouldn't work... right? The fxp0 > interface would be able to filter only on already translated addresses > (its own address), and not on unstranslated addresses, like > 192.168.200, which is the "boss" IP, on a different subnet. Would a > rule like that work?
Well, the FAQ there also says: > Note that only the pf.conf directives that apply directly to the above policy are present; nat, rdr, options, etc., are not shown. Without that crucial bit of info --whether NAT is actually being done in this scenario-- it's not quite right to characterize this rule as "incorrect" (not that you'd said that either). Correct me if I'm wrong, but I'd imagine the rule would work if no NAT was being done. I'm thus not sure if or how this part of the FAQ could be improved (but, at the peril of coming across as snarky, I'm sure Nick would welcome your diffs ;). No offense, and kind regards, :) --ropers
