On Wed, Nov 04, 2009 at 01:43:08AM +0200, Alexander Shikoff wrote:
> On Tue, Nov 03, 2009 at 10:44:08PM +0000, Stuart Henderson wrote:
> > On 2009-11-03, Alexander Shikoff <minot...@crete.org.ua> wrote:
> > > Because I need queuing for outgoing traffic on vlan* interfaces.
> > > When keep state is used then queues for outgoing traffic do not work.
> >
> > this (and variations) keep coming up (and has been answered 3 or 4
> > times in various mailing lists), but it's incorrect.
> >
> > you can do this with stateful rules, you just need to do the queue
> > assignments in the right place/s to make sure that traffic gets
> > queued correctly.
> >
> > - when you keep state, the state entry has a queue name associated
> > with it. any packets matching that state will be assigned to
> > the queue/s with that name on _any_ interface in the system.
> >
> > - you can assign traffic on an interface other than the one holding
> > the queue. assuming you want to queue the downstream traffic you have
> > received on bge0 and want to forward to 1.2.3.4 on vlan1:
> >
> > +--- --- -- -
> > | altq on vlan1 [...] queue { onetwothreefour [...] }
> > | queue onetwothreefour...
> > |
> > | ## incoming connections to 1.2.3.4 get queued:
> > | pass in on bge0 to 1.2.3.4 queue { onetwothreefour }
> > |
> > | ## outbound connections from 1.2.3.4 create state with a queue,
> > | ## so _return traffic matching that state_ is queued:
> > | pass in on vlan1 from 1.2.3.4 queue { onetwothreefour }
> > +--- --- -- -
> >
> > - if you're queuing both upstream and downstream, note that
> > queues on different interfaces can have the same name:
> >
> > +--- --- -- -
> > | altq on vlan1 [...] queue { onetwothreefour [...] }
> > | altq on bge0 [...] queue { onetwothreefour [...] }
> > | queue onetwothreefour...
> > | pass in on vlan1 from 1.2.3.4 queue { onetwothreefour }
> > | pass in on bge0 to 1.2.3.4 queue { onetwothreefour }
> > +--- --- -- -
>
> Thank you Stuart! I came to OpenBSD from FreeBSD which has not support
> for altq on vlan-interfaces and it was great news for me to know that
> OpenBSD does.
>
> I'm wondering how to apply your solution to configuration
> with enabled NAT? Let's assume that vlan1 is the LAN interface,
> and on bge0 there is NAT enabled. User in LAN initiates connection.
> Rule
> - pass in on vlan1 from 10.0.0.10 queue { onetwothreefour }
> creates a state and assigns outgoing packets to the queue 'onetwothreefour'.
> Traffic flowing back to this user will be also assigned to the same queue.
> It looks excellent while you do not need different queues for incoming
> and outgoing traffic (remembering that we have NAT and all connections
> are initiated from LAN).
>
> - pass in on vlan1 from 10.0.0.10 queue { from_onetwothreefour }
> - pass out on vlan1 to 10.0.0.10 queue { to_onetwothreefour }
> the second rule will not work, because first one created state.
> Am I right?
> Thanks in advance!
Stuart, at last I've understood pf's behaviour :)
I've solved my task.
Thank you and all community for the help very much!
Truly yours,
-- Alexander
--
MINO-RIPE
