pf and hfsc

Nenhum_de_Nos Sat, 16 May 2009 16:11:10 -0700

hail,

I use OpenBSD 4.5 as a firewall at home. my main issue is limit p2p and
fah client upload. this is been well done. but I always why not always the
rules did what I thought they should do (I know I may write wrong rules).


here are the altq rules:

# pfctl -sq
queue root_tun0 on tun0 bandwidth 300Kb priority 0 {out_ack, out_dns,
out_ssh, out_jogos, out_web, out_smtp, out_bolo, out_p2pFah}
queue  out_ack on tun0 bandwidth 30Kb priority 8 hfsc( realtime 60Kb )
queue  out_dns on tun0 bandwidth 15Kb priority 7 hfsc( realtime 15Kb )
queue  out_ssh on tun0 bandwidth 30Kb priority 6 hfsc( realtime 30Kb )
queue  out_jogos on tun0 bandwidth 45Kb priority 5 hfsc( realtime 45Kb )
queue  out_web on tun0 bandwidth 30Kb priority 4 hfsc( realtime 30Kb )
queue  out_smtp on tun0 bandwidth 15Kb priority 3 hfsc( realtime 45Kb )
queue  out_bolo on tun0 bandwidth 15Kb priority 2 hfsc( default )
queue  out_p2pFah on tun0 bandwidth 15Kb hfsc( upperlimit 160Kb )
{out_fah, out_p2p}
queue   out_fah on tun0 bandwidth 12Kb priority 7
queue   out_p2p on tun0 bandwidth 3Kb priority 2

and here is pftop:

pfTop: Up Queue 1-11/11, View: queue, Cache: 10000                     
19:50:21

QUEUE               BW SCH  PR  PKTS BYTES DROP_P DROP_B QLEN BORR SUSP
P/S  B/S
root_tun0         300K hfsc  0     0     0      0      0    0            
0    0
 out_ack         30000 hfsc  8     0     0      0      0    0
0    0
 out_dns         15000 hfsc  7     2   134      0      0    0
0    0
 out_ssh         30000 hfsc  6     0     0      0      0    0
0    0
 out_jogos       45000 hfsc  5     6   402      0      0    0
0    0
 out_web         30000 hfsc  4     0     0      0      0    0
0    0
 out_smtp        15000 hfsc  3  2525 3634K      0      0    1
11  16K
 out_bolo        15000 hfsc  2     0     0      0      0    0
0    0
 out_p2pFah      15000 hfsc        0     0      0      0    0
0    0
  out_fah        12000 hfsc  7     0     0      0      0    0
0    0
  out_p2p         3000 hfsc  2  6495 4771K     63  43271   25
26  19K

the p2pFah is always up to the limit, and working ok.

but now, smtp is sending some huge mail and I think it should get more
from upload bandwidth that it is now. but it never does it :(
I feel is like it is fighting to p2p and losing, as p2p has so much
connections and smtp has one only, or some that aren't close to p2p queue.

is this what was expected from pf+altq and I'm just worried over nothing ?

what made me think this way is the fact that I give more priority to fah
uploads (twice a day) than p2p (all day long). so when fah is uploading,
p2p goes down to 3KBps, whats defined for it.

just trying now ssh, higher priority, got me the same result:

pfTop: Up Queue 1-11/11, View: queue, Cache: 10000                     
20:00:58

QUEUE               BW SCH  PR  PKTS BYTES DROP_P DROP_B QLEN BORR SUSP
P/S  B/S
root_tun0         300K hfsc  0     0     0      0      0    0            
0    0
 out_ack         30000 hfsc  8    10   760      0      0    0
0    0
 out_dns         15000 hfsc  7    10   779      0      0    0
0    0
 out_ssh         30000 hfsc  6  1207 1652K      0      0    0
10  15K
 out_jogos       45000 hfsc  5     8   536      0      0    0
0    0
 out_web         30000 hfsc  4    22  5984      0      0    0
0    0
 out_smtp        15000 hfsc  3  4901 7043K      0      0    0
0    0
 out_bolo        15000 hfsc  2     0     0      0      0    0
0    0
 out_p2pFah      15000 hfsc        0     0      0      0    0
0    0
  out_fah        12000 hfsc  7     0     0      0      0    0
0    0
  out_p2p         3000 hfsc  2 23312   16M    608 397702   34
24  20K

so, am I doing it wrong, or is it supposed to be this way ? I once read
that PRIQ would let lower priorities starve to death (I've seen this once)
and hfsc would not. but it is way too permissive like this ?

thanks,

matheus

ps: demesg, as required :)

$ dmesg
OpenBSD 4.5-stable (GENERIC) #0: Sat May  2 23:53:46 BRT 2009
    r...@phoenix.apartnet:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Transmeta(tm) Crusoe(tm) Processor TM5700 ("GenuineTMx86" 586-class)
799 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,CX8,SEP,CMOV,SER,MMX
real mem  = 251146240 (239MB)
avail mem = 234528768 (223MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/10/04, BIOS32 rev. 0 @ 0xfa260,
SMBIOS rev. 2.3 @ 0xf0800 (32 entries)
bios0: vendor Phoenix Technologies, LTD version "786R1 v1.07" date 12/10/2004
bios0: Hewlett-Packard hp t5000 series
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP
acpi0: wakeup devices PCI0(S5) LAN0(S5) USB0(S4) USB1(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C3, C2
acpibtn0 at acpi0: PWRB
bios0: ROM list: 0xc0000/0x9000 0xcc000/0xa000
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Transmeta LongRun Northbridge" rev 0x04
"Transmeta Mem1" rev 0x00 at pci0 dev 0 function 1 not configured
"Transmeta Mem2" rev 0x00 at pci0 dev 0 function 2 not configured
vendor "Transmeta", unknown product 0x0399 (class memory subclass RAM, rev
0x00) at pci0 dev 0 function 3 not configured
uhci0 at pci0 dev 9 function 0 "VIA VT83C572 USB" rev 0x61: irq 15
uhci1 at pci0 dev 9 function 1 "VIA VT83C572 USB" rev 0x61: irq 11
ehci0 at pci0 dev 9 function 2 "VIA VT6202 USB" rev 0x63: irq 5
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "VIA EHCI root hub" rev 2.00/1.00 addr 1
fxp0 at pci0 dev 11 function 0 "Intel 8255x" rev 0x05, i82558: irq 11,
address 00:a0:c9:d7:2f:95
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 0
vga1 at pci0 dev 13 function 0 "ATI Radeon VE" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
radeondrm0 at vga1: irq 10
drm0 at radeondrm0
pcib0 at pci0 dev 17 function 0 "VIA VT8231 ISA" rev 0x10
pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA100,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: <ST68022CF>
wd0: 16-sector PIO, LBA, 7629MB, 15625008 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
viaenv0 at pci0 dev 17 function 4 "VIA VT8231 PMG" rev 0x10: failed to map
PM I/O space
vr0 at pci0 dev 18 function 0 "VIA RhineII-2" rev 0x51: irq 15, address
00:11:85:e3:2a:17
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 10: OUI
0x004063, model 0x0032
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "VIA UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "VIA UHCI root hub" rev 1.00/1.00 addr 1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
biomask fdfd netmask fdfd ttymask ffff
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
arp info overwritten for 10.1.1.100 by 00:1b:fc:18:33:c5 on vr0


-- 
We will call you cygnus,
The God of balance you shall be

A: Because it messes up the order in which people normally read text. Q:
Why is top-posting such a bad thing?

http://en.wikipedia.org/wiki/Posting_style

pf and hfsc

Reply via email to