pf + bridge + qos by tos

Jason Houx Thu, 12 Dec 2002 14:07:16 -0800

hello   Daniel, and pf ppl

I've been playing with -current (syncing almost daily) and qos mostly
trying to get the qos to play nice with tos rules.  IE strait from the
example:


This is in a bridge enviornment. I have 3 interfaces on the box 2 for the 
bridge and one setup on our internal side for simple manamgent.  Here is 
the diagram:

                |----{pix}--10.0.1.0/24----|
                |                          |
cisco 2600 -----|             |------------|
                |           {xl0}
                |---{rl0}sexy obsd bridge{rl1}--|
                                                |
                                                |
                                                real worlds /28


Everything with qos seems to work like i want except using tos in my rules 
to apply to the filter.  I have tried and tried to get this to work and 
waited to see if anyone else reported this.  What happens is if i pull off 
the tos from the rule then it matches and qos works great.  but if i have 
tos on the rules everything seems to go to the bucket bin "std".  I figure 
I must have some logic wrong or rule wrong or i am trying to qos on the 
wrong interface.  please help.  here is my rules


ext_if          = "rl0"
int_if          = "rl1"
man_if          = "xl0"
man_ip          = "10.0.1.249/32"
noc_hosts       = "216.201.43.115/32"
employee_hosts  = "216.201.43.116/32"

set limit states 20000
set limit frags 20000



scrub in on $ext_if all fragment crop

altq on $ext_if cbq bandwidth 200Kb queue { std, http, mail, ssh, ftp, icmp }

queue std bandwidth 10% cbq(default)
queue http bandwidth 50% priority 2 cbq(borrow red) { employees, noc }
queue  noc bandwidth 10% cbq
queue  employees bandwidth 15%
queue mail bandwidth 10% priority 0 cbq(borrow ecn)
queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk }
queue  ssh_interactive priority 7
queue  ssh_bulk priority 0
queue ftp bandwidth 10% priority 0 cbq { ftp_noc, ftp_employees }
queue  ftp_noc bandwidth 80% cbq(borrow red)
queue  ftp_employees bandwidth 10%
queue icmp bandwidth 10% priority 4 cbq (borrow red) {icmp_noc, 
icmp_employees }
queue icmp_noc bandwidth 90%
queue icmp_employees bandwidth 10%


#block return out on $ext_if inet all queue std
block in log on $ext_if all
block in log on $man_if all
pass out log on $man_if inet proto { tcp, udp, icmp } from $man_ip to any keep state
pass out log on $ext_if inet proto { tcp, udp, icmp } from any to any keep state queue 
std
pass out log on $ext_if inet proto { tcp, udp } from $noc_hosts to any port 80 flags 
S/SAPFU keep state queue noc
pass out log on $ext_if inet proto tcp from $employee_hosts to any port 80 flags 
S/SAPFU keep state queue employees
pass out log on $ext_if inet proto tcp from $noc_hosts to any port 21 flags S/SAPFU 
keep state queue ftp_noc
pass out log on $ext_if inet proto tcp from $employee_hosts to any port 21 flags 
S/SAPFU keep state queue ftp_employee
pass out on $ext_if inet proto icmp from $noc_hosts to any  icmp-type 8 code 0 keep 
state queue icmp_noc
pass out on $ext_if inet proto icmp from $employee_hosts to any icmp-type 8 code 0 
keep state queue icmp_employees

#priority for interactive sessions
pass out log-all quick on $ext_if inet proto tcp from $noc_hosts to any port 22 flags 
S/SAPFU tos 0x10 keep state queue ssh_interactive
#less priority for scp/sftp/...
pass out log-all quick  on $ext_if inet proto tcp from $noc_hosts to any port 22 flags 
S/SAPFU tos 0x08 keep state queue ssh_bulk

pass out on $ext_if inet proto tcp from any to any port 25 keep state 
queue mail

pass in on $man_if inet proto tcp from any to any port 22 keep state


----------------------------------------------------------------------------------

venom# pfctl -s rules
scrub in on rl0 all fragment crop 
block drop in log on rl0 all 
block drop in log on xl0 all 
pass out log on xl0 inet proto tcp from 10.0.1.249 to any keep state 
pass out log on xl0 inet proto udp from 10.0.1.249 to any keep state 
pass out log on xl0 inet proto icmp from 10.0.1.249 to any keep state 
pass out log on rl0 inet proto tcp all keep state queue std
pass out log on rl0 inet proto udp all keep state queue std
pass out log on rl0 inet proto icmp all keep state queue std
pass out log on rl0 inet proto tcp from 216.201.43.115 to any port = www 
flags S/FSPAU keep state queue noc
pass out log on rl0 inet proto udp from 216.201.43.115 to any port = www 
keep state queue noc
pass out log on rl0 inet proto tcp from 192.168.1.203 to any port = www 
flags S/FSPAU keep state queue employees
pass out log on rl0 inet proto tcp from 216.201.43.115 to any port = ftp 
flags S/FSPAU keep state queue ftp_noc
pass out log on rl0 inet proto tcp from 192.168.1.203 to any port = ftp 
flags S/FSPAU keep state queue ftp_employee
pass out on rl0 inet proto icmp from 216.201.43.115 to any icmp-type 
echoreq code 0 keep state queue icmp_noc
pass out on rl0 inet proto icmp from 192.168.1.203 to any icmp-type 
echoreq code 0 keep state queue icmp_employees
pass out log-all quick on rl0 inet proto tcp from 216.201.43.115 to any 
port = ssh flags S/FSPAU tos 0x10 keep state queue ssh_interactive
pass out log-all quick on rl0 inet proto tcp from 216.201.43.115 to any 
port = ssh flags S/FSPAU tos 0x08 keep state queue ssh_bulk
pass out on rl0 inet proto tcp from any to any port = smtp keep state 
queue mail
pass in on xl0 inet proto tcp from any to any port = ssh keep state 

-------------------------------------------------------------------------



I create a ssh to a work box from .115

Dec 12 16:52:54.499295 rule 7/0(match): pass out on rl0: 216.201.43.115.32771 > 
209.143.0.10.53:  [udp sum ok] 58999+ AAAA? midus.bright.net. (34) (DF) (ttl 64, id 
44571)
Dec 12 16:52:54.523633 rule 6/0(match): pass out on rl0: 216.201.43.115.32786 > 
216.255.50.23.22: S [tcp sum ok] 561425143:561425143(0) win 5840 <mss 
1460,sackOK,timestamp 138161 0,nop,wscale 0> (DF) (ttl 64, id 18097)

As you can see it creates state on rule 6 because no tos happens till 
after session establishment.  my question how do get pf rules to work with 
qos and tos.  should i apply the rule to the int_if ?  If i pull the tos 
off the rules it works fine but then i can't say scp traffic gets x% and 
ssh interactive gets y%.  please help as i am sure i am doing some thing 
wrong.


venom# pfctl -vsr
scrub in on rl0 all fragment crop 
[ Evaluations: 77        Packets: 0         Bytes: 0           States: 0     
]

block drop in log on rl0 all 
[ Evaluations: 77        Packets: 4         Bytes: 256         States: 0     
]

block drop in log on xl0 all 
[ Evaluations: 75        Packets: 0         Bytes: 0           States: 0     
]

pass out log on xl0 inet proto tcp from 10.0.1.249 to any keep state 
[ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     
]

pass out log on xl0 inet proto udp from 10.0.1.249 to any keep state 
[ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     
]

pass out log on xl0 inet proto icmp from 10.0.1.249 to any keep state 
[ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     
]

pass out log on rl0 inet proto tcp all keep state queue std
[ Evaluations: 77        Packets: 39        Bytes: 5023        States: 1     
]

pass out log on rl0 inet proto udp all keep state queue std
[ Evaluations: 2         Packets: 6         Bytes: 625         States: 1     
]

pass out log on rl0 inet proto icmp all keep state queue std
[ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     
]

pass out log on rl0 inet proto tcp from 216.201.43.115 to any port = www 
flags S/FSPAU keep state queue noc
[ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     
]

pass out log on rl0 inet proto udp from 216.201.43.115 to any port = www 
keep state queue noc
[ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     
]

pass out log on rl0 inet proto tcp from 192.168.1.203 to any port = www 
flags S/FSPAU keep state queue employees
[ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     
]

pass out log on rl0 inet proto tcp from 216.201.43.115 to any port = ftp 
flags S/FSPAU keep state queue ftp_noc
[ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     
]

pass out log on rl0 inet proto tcp from 192.168.1.203 to any port = ftp 
flags S/FSPAU keep state queue ftp_employee
[ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     
]

pass out on rl0 inet proto icmp from 216.201.43.115 to any icmp-type 
echoreq code 0 keep state queue icmp_noc
[ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     
]

pass out on rl0 inet proto icmp from 192.168.1.203 to any icmp-type 
echoreq code 0 keep state queue icmp_employees
[ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     
]

pass out log-all quick on rl0 inet proto tcp from 216.201.43.115 to any 
port = ssh flags S/FSPAU tos 0x10 keep state queue ssh_interactive
[ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     
]

pass out log-all quick on rl0 inet proto tcp from 216.201.43.115 to any 
port = ssh flags S/FSPAU tos 0x08 keep state queue ssh_bulk
[ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     
]

pass out on rl0 inet proto tcp from any to any port = smtp keep state 
queue mail
[ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     
]

pass in on xl0 inet proto tcp from any to any port = ssh keep state 
[ Evaluations: 76        Packets: 0         Bytes: 0           States: 0     
]



Thanks pf crew!!

Jason houx

pf + bridge + qos by tos

Reply via email to