On Aug 27, 2006, at 10:04 AM, Federico Giannici wrote:
Jason Dixon wrote:
On Aug 27, 2006, at 7:55 AM, Federico Giannici wrote:
I'm setting up a firewall with queues and I'd like to know how
much traffic of a given "class" was ACTUALLY sent out of an
interface (i.e. not dropped by a queue). I mark the classes by
means of labels.
I have a couple of questions:
1) Let's assume that every queue contains the traffic of only a
single class. What is the amount of traffic sent OUT of the
queue? In the statistics showed by "pfctl -vs queue" there are
two values: one is the amount of dropped traffic, and the other?
The amount of passed traffic.
Is it the traffic sent OUT, or is the traffic sent INTO the queue
(so I have to subtract the amount of the dropped one)?
Huh?
I mean, if it was the total amount of traffic that ENTERED the
queue, then the traffic that PASSED the queue shaping would have
been the difference of the two values (total traffic - dropped
traffic).
But, you are saying that it not the case...
You must be coming from Linux. You're confusing the hell out of me.
If a packet matches a rule (or state already matching a rule), then
the packet is applied to the queue. When it says "dropped" it's not
the same as being dropped in the case of a filter rule. The packet
is being dropped in order to allow packets of higher preference to
pass. The client should attempt to retransmit, at which point the
new packet may be queued and/or dropped [again] according to the
queueing rules.
If what I'm saying doesn't apply, then it's because I don't
understand your question.
2) If the queues contain the traffic of more than a class, is
there a way to know the amount of traffic that actually was sent
out (not dropped by a queue) for every single class?
The statistics showed by "pfctl -vs labels" count the traffic
ENTERED in the queue, even for "pass OUT" rules?
If a packet matches a rule (or an existing state that matches a
rule) that uses the queue keyword, that packet gets assigned to
the queue. Any passed packets (or dropped packets) that are
assigned to a queue count towards the "passed pkts/bytes" and
"dropped pkts/bytes" statistics shown by "pfctl -vsq".
Perhaps I don't understand your question. The answer seems simple
enough.
Let's change the question: is this the correct order of the steps
an IP packet follow?
1) filtering rules for the IN direction of the input interface
2) routing
3) filtering rules for the OUT direction of the output interface
4) queuing in the output interface
Is it right?
So I cannot know the amount of traffic, with a given label, that
actually passed the queue (i.e. was not dropped).
If steps 3 and 4 where inverted, that counting would be possible...
Here are the orders that matter, according to pf.conf(5):
Macros
Tables
Options
Traffic Normalization
Queueing
Translation
Packet Filtering
Routing falls outside the scope of this discussion and is ruled
according to the route tables, or otherwise overridden by routing
options in the filter rules (fastroute, route-to, reply-to, dup-to).
As far as being able to know whether a packet marked by a specific
label "passed" or "dropped", it's irrelevant. The packet should be
retransmitted by the client, at which point it will either queued,
dropped (again), or passed and counted towards the queue and label
statistics.
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
