Re: Prioritizing empty TCP ACKs

Volker Kindermann Fri, 06 Jun 2003 02:38:24 -0700

> that's interesting. I have no tun/pppoe setup to test myself - mind 
> sharing pf.conf/pfctl -gvsq/other relevant setup?



ok, here is the information. If something is unclear/missing feel free
to ask.

OS: OpenBSD 3.3 release
arch: i386
kernel: GENERIC

# pfctl -gvsq                                                           
queue q_pri priority 7 
[ pkts:      42838  bytes:    2204648  dropped pkts:      0 bytes:     
0 ][ qlength:   0/ 50 ]
[ qid=8 ifname=tun0 ifbandwidth=100Kb ]
queue q_def priq( default ) 
[ pkts:      29183  bytes:   14101865  dropped pkts:      0 bytes:     
0 ][ qlength:   0/ 50 ]
[ qid=2 ifname=tun0 ifbandwidth=100Kb ]


pf.conf (comments in german, only rudimental rules, additional comments
are welcome):

<start pf.conf>

### VARIABLEN ###

Ext = "tun0"                    # Device an dem das Internet angeschlossen ist 
Int = "rl0"                     # Device an dem das interne Netz haengt
Wifi = "wi0"                    # Device an dem das Funklan haengt
IntNet = "192.168.17.0/24"      # Adressraum des internen Netzes
WifiNet = "172.17.0.0/24"       # Adressraum des Funklans
RouterIP = "192.168.17.99"      # IP Adresse des Routers
Loop = "lo0"                    # Loopback Device

# Adressen die auf dem externen Device nicht geroutet werden
NoRoute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
255.255.255.255/32 }"


### OPTIONS ###

# Macht Statistiken fuer die DSL-Verbindung (pfctl -s info)
set loginterface $Ext

# Beendet inaktive Verbindungen schneller - geringerer
# Speicherverbrauch. 
set optimization aggressive
set block-policy return

# Fragmentierte Pakete saeubern
scrub in on $Ext all fragment reassemble

# Queueing
altq on $Ext priq bandwidth 100Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)

### NAT & FORWARD ###

# NAT aktivieren
nat on $Ext from $IntNet to any -> $Ext 
nat on $Ext from $WifiNet to any -> $Ext

### FILTER ###

# Generelle Block Regeln
block out on $Ext all
block in on $Ext all

# Wir wollen kein IPv6.0
block in quick inet6 all
block out quick inet6 all

# Loopback Device darf alles
pass in quick on $Loop all
pass out quick on $Loop all

# IP Spoofing verhindern
block in log quick on $Ext inet from $NoRoute to any
block in log on $Ext inet from any to $NoRoute

# Ping akzeptieren
pass in quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state

# Raus darf (fast) alles
pass out quick on $Ext all keep state queue (q_def,q_pri)
pass out quick on $Wifi all keep state queue (q_def,q_pri)

<end pf.conf>

# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        inet 127.0.0.1 netmask 0xff000000 
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
lo1: flags=8008<LOOPBACK,MULTICAST> mtu 33224
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:10:4b:4d:8a:78
        media: Ethernet 10baseT (10baseT half-duplex)
        inet6 fe80::210:4bff:fe4d:8a78%xl0 prefixlen 64 scopeid 0x1
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:e0:7d:82:db:63
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.17.99 netmask 0xffffff00 broadcast 192.168.17.255
        inet6 fe80::2e0:7dff:fe82:db63%rl0 prefixlen 64 scopeid 0x2
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 2020
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
tun0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1492
        inet 80.13.139.52 --> 217.5.98.163 netmask 0xffffffff 
tun1: flags=10<POINTOPOINT> mtu 3000
enc0: flags=0<> mtu 1536
bridge0: flags=0<> mtu 1500
bridge1: flags=0<> mtu 1500
vlan0: flags=0<> mtu 1500
        address: 00:00:00:00:00:00
vlan1: flags=0<> mtu 1500
        address: 00:00:00:00:00:00
gre0: flags=9010<POINTOPOINT,LINK0,MULTICAST> mtu 1450
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif2: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
gif3: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
wi0: flags=8c43<UP,BROADCAST,RUNNING,OACTIVE,SIMPLEX,MULTICAST> mtu 1500
        address: 00:05:5d:d6:83:39
        nwid vkWiFiHome
        powersave off
        media: IEEE802.11 autoselect hostap (DS2)
        status: active
        inet 172.17.0.99 netmask 0xffffff00 broadcast 172.17.0.255
        inet6 fe80::205:5dff:fed6:8339%wi0 prefixlen 64 scopeid 0x17


I hope this helps. As said before, if you need additional information
please ask.

And yes, I know that I might put the non-routable addresses in a table
but this pf.conf was taken from a howto and I didn't found the time yet
to tune it. Just made things working so far.

 -volker

Re: Prioritizing empty TCP ACKs

Reply via email to