ALTQ & filter rules

Sat, 27 Dec 2003 17:53:07 -0800 

    Good time of day,

  When ALTQ was merged with PF, it become more more flexible.

  But now, packets can be assigned to specific queue only on filter rule.

It's good, then filter and queue layout are the same.
But if aren't, we have an issues:
  >> superfluous filter rules (added for queuing only)
  >> necessity of queue modifier in _each_ rule that controls
    non-default queue packets

  I suggest to create new type of rules - Queuing filters. Same as
(packet) filter rules, except one thing - no "pass" or "block"
action.
  Let them define default queues assignment, applied to
(packet) filter rule, w/o "queue" modifier and implicit rules.

   Example pf.conf (for illustration only)

# Queueing: rule-based bandwidth control.
altq on if0 bandwidth 2Mb cbq queue { dflt, developers, marketing }
queue dflt bandwidth 5% cbq(default)
queue developers bandwidth 80%
queue marketing  bandwidth 15%

# Queueing filters: defines default queue assignment
# **** developers subnet
assign   out on if0 from 10.0.1.0/24 to any   queue developers
# **** un-assign person from developers (re-assign to default)
assign   out on if0 from 10.0.1.125  to any
# **** marketing subnet
assign   out on if0 from 10.0.2.0/24 to any   queue marketing
# **** developer on marketing subnet
assign   out on if0 from 10.0.2.35   to any   queue developers
# **** ssh traffic
assign   in  on if0 proto tcp from any to any port 22 keep state queue developers

# Filtering:

# **** Repository access
block in on if0 from any to $hRepository
# **** pass developers (assigned to developers queue)
pass  in on if0 from 10.0.1.0/24 to $hRepository
block in on if0 from 10.0.1.125  to $hRepository
pass  in on if0 from 10.0.2.35   to $hRepository

# **** exclusion: pass _marketing_ person to repository with
# **** developers bandwidth
# **** (re-assingning Repository traffic to developers queue)
pass  in on if0 from 10.0.2.34 to $hRepository queue developers

    Something like that ...

    This leaves PF to be more flexible & powerful.



Ilya A. Kovalenko          (mailto:[EMAIL PROTECTED])
S.A.
JSC Oganer-Service
Special Equipment Software Section

Reply via email to