Re: ack and priq

Greg Hennessy Thu, 20 Nov 2003 06:49:27 -0800

On 20 Nov 2003 01:23:33 -0800, [EMAIL PROTECTED] (Robert Winder) wrote:


>All to no avail. Am I expecting to much from this priq scheduling ? I
>hope it isn't something obvious.
>

If you are using P2P, I've found that CBQ works better than priq for
traffic management and ACKPRI. 


Here are some snippets to give you an idea or two. 

# Macro definitions
Gnutella2="6346"
P2P="6880 >< 6890, 4662, 6346"
KSF="keep state flags S/SA"
TCP="inet proto tcp"
UDP="inet proto udp"


# ------------------------------------
# CBQ goes here
#
# Limit incoming p2p clients to 192 Kbits/sec in each direction
#
altq on $Outside cbq bandwidth 230Kb  qlimit 1000 queue { q_pri,\
q_def,p2p_container}
queue q_pri             priority 7      qlimit 1000
queue q_def             priority 2      qlimit 1000 cbq (default)
queue p2p_container     bandwidth 192Kb qlimit 1000 { q_p2p}
queue q_p2p             priority 1      qlimit 1000 cbq (ecn)

altq on $Inside  cbq bandwidth 100%  queue {i_def, i_p2p_container }
queue i_def             priority 7   cbq (default)
queue i_p2p_container   bandwidth 192Kb  qlimit 1000 { i_p2p}
queue i_p2p             priority 1       qlimit 1000 cbq (ecn)


# P2P client rules. 
#
# Allow in external P2P peers
pass in log quick on $Outside $TCP from any to $PC port { $P2P } $KSF tag\
p2p queue (q_p2p, q_pri) label "ALLOW: P2P -> In "

pass in log quick on $Outside $UDP from any to $PC port { $Gnutella2} keep\
state tag p2p queue q_p2p label "ALLOW: P2P -> In "

#
# Allow P2P to traverse firewall.
pass out     quick on $Inside $TCP from !$Lan to $PC tagged p2p $KSF queue\
i_p2p label "tagged p2p -> IN"
pass out     quick on $Inside $UDP from !$Lan to $PC tagged p2p keep state\
queue i_p2p label "tagged p2p -> IN"


# Allow outbound traffic

pass out log quick on $Outside $TCP             from ($Outside) to any\
tagged trusted $KSF queue (q_def, q_pri) label "ALLOW: Lan"


Here's what it looks like in action

~~ # pftop -v queue

pfTop: Up Queue 1-9/9, View: queue, Cache: 10000
10:50:31

QUEUE     BANDW SCH  PR   PKTS BYTES DROP_P DROP_B QLEN BORR SUSP P/S  B/S
root_hme0 230K cbq   0 545060  128M      0      0    0    0    0  65  14K
 q_pri    230K cbq   7 271295   16M      0      0    0    0    0  30   1K
 q_def    230K cbq   2 188651   82M      0      0    0    0    0  20   9K
 p2p_con* 192K cbq          0     0      0      0    0    0    0   0    0
  q_p2p   192K cbq      85114   29M      0      0    0    0    1  14   3K
root_fxp0 100M cbq   0 670168  508M      0      0    0    0    0  92  66K
 i_def    100M cbq   7 418703  329M      0      0    0    0    0  61  43K
 i_p2p_c* 192K cbq          0     0      0      0    0    0    0   0    0
  i_p2p   192K cbq     251465  178M  17462 12537K  292    0  50K  31  23K



Another few jars I owe Daniel and Co.


greg

-- 
$ReplyAddress =~ [EMAIL PROTECTED]; # Delete everything after the '@'
The Following is a true story.....
Only the names have been changed to protect the guilty.

Re: ack and priq

Reply via email to