I know queuing only applies to outbound traffic. I'm using "ssh -w" tunnelling to the pf+gateway. I, therefore, have
pass in on #ext_if inet proto tcp ... keep state queue (QSHH, QLOWLAT), which, if I understand correctly, should assign the stateful reply/return (outbound) traffic be queued on QSHH and QLOWLAT accordingly. It doesn't do so. 1. With the queue(QSHH,QLOWLAT) arguments in place, there is NO returning traffic flow. Return traffic seems to vanish. pflog0 is silent on any blocking. 2. The QSSH stats (pfctl -vvsq) counters are zero and remain at zero. If I use the identical rule sets but omit the "queue(QSHH,QLOWLAT)" options, reply traffic flows correctly, except no queuing. The queues are working for everything else (default, voip, lowlat, etc). The /etc/pf.conf fragment follows --snip-- # -----v----- pass in log quick on $ext_if inet proto tcp \ from !<ssh_pests> to ($ext_if:0) \ flags S/SA keep state \ (max-src-conn-rate 3/120, overload <ssh_pests> flush global) \ queue(QSHH,QLOWLAT) label SSHVPNGRP # pass in log quick on tun0 inet \ from (tun0:peer) to any \ tag VTUN keep state label SSHVPNGRP # pass out log quick on $int_if inet \ tagged VTUN keep state label SSHVPNGRP # -----^----- --end-snip-- It's as if there needs to be a pass out, but ??? because "state" is handling that. Thanks,
