pf shape download

[Michel Blais]

Hi,

I'm having a problem to shape download with PF. I have 2 HFSC queue
(main and second) created on my internal NIC. Main is my default
queue. If I try to match download traffic to the second queue, it still
go trought the main queue.
The IP I want to download trought the second queue for my test
unit is 10.254.200.2
$ext_if=re0
$int_if=re1

My rule to foward traffic to second queue is :
match out on $int_if from any to 10.254.200.2
I also try with pass instead of match

Look fine if I check the bob exemple in this faq :
http://www.openbsd.org/faq/pf/queueing.html#example1

pfctl -vvsq still show traffic on main queue :

queue  main on re1 bandwidth 1Mb priority 2 qlimit 100 hfsc( red default 
upperlimit 97Mb )
  [ pkts:      24701  bytes:   37333295  dropped pkts:      0 
bytes:      0 ]
  [ qlength:   0/100 ]
  [ measured:   236.4 packets/s, 2.86Mb/s ]
queue  second on re1 bandwidth 1Mb priority 0 qlimit 250 hfsc( red 
upperlimit 97Mb )
  [ pkts:          0  bytes:          0  dropped pkts:      0 
bytes:      0 ]
  [ qlength:   0/250 ]
  [ measured:     0.0 packets/s, 0 b/s ]

pftop -v rules show me that the rule don't match
12 Pass out re1     K 0 0 0 inet from any to 10.254.200.2/32    flags   
S/SA queue second

I can see my download with tcpdump :
# tcpdump -i re1 host 10.254.200.2
...
10:49:19.802505 10.254.200.2.49266 > hammurabi.acc.umu.se.www: . ack 
832200 win 64240 (DF)
10:49:19.802716 hammurabi.acc.umu.se.www > 10.254.200.2.49266: . 
832200:833660(1460) ack 1 win 6564 (DF)
10:49:19.802911 hammurabi.acc.umu.se.www > 10.254.200.2.49266: . 
833660:835120(1460) ack 1 win 6564 (DF)
10:49:19.803040 hammurabi.acc.umu.se.www > 10.254.200.2.49266: . 
835120:836580(1460) ack 1 win 6564 (DF)
10:49:19.803211 10.254.200.2.49266 > hammurabi.acc.umu.se.www: . ack 
836580 win 64240 (DF)
10:49:19.803248 hammurabi.acc.umu.se.www > 10.254.200.2.49266: . 
836580:838040(1460) ack 1 win 6564 (DF)
10:49:19.803252 hammurabi.acc.umu.se.www > 10.254.200.2.49266: . 
838040:839500(1460) ack 1 win 6564 (DF)
10:49:19.803367 hammurabi.acc.umu.se.www > 10.254.200.2.49266: . 
839500:840960(1460) ack 1 win 6564 (DF)
...

I have pass days on this with OpenBSD 4.9 and
FreeBSD 8.2 without result.

I even tryed every 8 possible rules at the same time and
pfctl was still showing traffic trought the main queue on :

match in on re0 from any to 10.254.200.2 queue second
match in on re1 from any to 10.254.200.2 queue second
match out on re0 from any to 10.254.200.2 queue second
match out on re0 from any to 10.254.200.2 queue second
match in on re0 from 10.254.200.2 to any queue second
match in on re1 from 10.254.200.2 to any queue second
match out on re0 from 10.254.200.2 to any queue second
match out on re0 from 10.254.200.2 to any queue second

in this case, pftop was showing that it
match out on re0 from 10.254.200.2 to any
match on re1 from 10.254.200.2 to any
it look like only upload rule match

Can somebody help me on this ?

Thanks

Michel

P.S : I have a VoIP queue that I will add after that will need the
realtime option, that why I'm using HFSC.