pf ALTQ bandwidth limited to a 32bit value (4294Mb)
ALTQ using hfsc is limited to a maximum parent bandwidth of 4294Mb.
This value is 2^32 or 4,294,967,296 bits. If you set the bandwidth any
higher, altq will flip back to zero. This "bug" was found when trying
to test 10 gigabit and 40 gigabit bandwidth models. These tests were
done on OpenBSD 32bit and 64bit as well as FreeBSD 32bit and 64bit.
If anyone else can verify this independently and agree with the
results I would be happy to register it as a bug.
How to replicate:
A quick test is setting the bandwidth to 4294Mb and doing a pfctl -sq
to check altq.
altq on $ExtIf bandwidth 4294Mb hfsc queue { ack, web}
queue root_em0 on em0 bandwidth 4.29Gb priority 0 {ack, web}
Now set the bandwidth to 4295Mb and notice altq has flip to zero and
add the 32.70Kb difference.
altq on $ExtIf bandwidth 4295Mb hfsc queue { ack, web }
queue root_em0 on em0 bandwidth 32.70Kb priority 0 {ack, web}
Again, we can set the bandwidth to a multiple of two(2) to 8589Mb.
The bandwidth value flips to zero once and the result is 4.29Gb.
altq on $ExtIf bandwidth 8589Mb hfsc queue { ack, web}
queue root_em0 on em0 bandwidth 4.29Gb priority 0 {ack, web}
If we add one more megabit to 8590Mb the value flips twice and we are
left with 65.41Kb.
altq on $ExtIf bandwidth 8590Mb hfsc queue { ack, web}
queue root_em0 on em0 bandwidth 65.41Kb priority 0 {ack, web}
Thanks.
--
Calomel @ https://calomel.org
Open Source Research and Reference
Re: pf ALTQ bandwidth limited to a 32bit value (4294Mb)
Ermal,
Thanks for the diff. When we tried it on FreeBSD 8.2-p2, ALTq would no
long start. We also looked into the source under
/usr/src/sys/contrib/altq/altq. Sadly, most of the changes we made
either broke altq completely or had no effect.
If you have any other ideas we would be happy to try them out.
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Thu, Jul 07, 2011 at 09:28:13AM -0400, Ermal Lu?i wrote:
>On Wed, Jul 6, 2011 at 5:25 PM, Calomel Org
> wrote:
>> ALTQ using hfsc is limited to a maximum parent bandwidth of 4294Mb.
>> This value is 2^32 or 4,294,967,296 bits. If you set the bandwidth any
>> higher, altq will flip back to zero. This "bug" was found when trying
>> to test 10 gigabit and 40 gigabit bandwidth models. These tests were
>> done on OpenBSD 32bit and 64bit as well as FreeBSD 32bit and 64bit.
>>
>> If anyone else can verify this independently and agree with the
>> results I would be happy to register it as a bug.
>>
>>
>> How to replicate:
>>
>> A quick test is setting the bandwidth to 4294Mb and doing a pfctl -sq
>> to check altq.
>>
>> ?altq on $ExtIf bandwidth 4294Mb hfsc queue { ack, web}
>> ?queue root_em0 on em0 bandwidth 4.29Gb priority 0 {ack, web}
>>
>> Now set the bandwidth to 4295Mb and notice altq has flip to zero and
>> add the 32.70Kb difference.
>>
>> ?altq on $ExtIf bandwidth 4295Mb hfsc queue { ack, web }
>> ?queue root_em0 on em0 bandwidth 32.70Kb priority 0 {ack, web}
>>
>> Again, we can set the bandwidth to a multiple of two(2) to 8589Mb.
>> The bandwidth value flips to zero once and the result is 4.29Gb.
>>
>> ?altq on $ExtIf bandwidth 8589Mb hfsc queue { ack, web}
>> ?queue root_em0 on em0 bandwidth 4.29Gb priority 0 {ack, web}
>>
>> If we add one more megabit to 8590Mb the value flips twice and we are
>> left with 65.41Kb.
>>
>> ?altq on $ExtIf bandwidth 8590Mb hfsc queue { ack, web}
>> ?queue root_em0 on em0 bandwidth 65.41Kb priority 0 {ack, web}
>>
>
>It is true that there is a limit because of data type used.
>Though it cannot be fixed easily on i386 but on amd64 this should work.
>
>Index: sys/contrib/pf/net/pfvar.h
>===
>--- sys/contrib/pf/net/pfvar.h (revision 223824)
>+++ sys/contrib/pf/net/pfvar.h (working copy)
>@@ -1491,13 +1491,13 @@
>/* scheduler spec */
>u_int8_t scheduler; /* scheduler type */
>u_int16_ttbrsize; /* tokenbucket regulator size
> */
>- u_int32_tifbandwidth; /* interface bandwidth */
>+ u_int64_tifbandwidth; /* interface bandwidth */
>
>/* queue spec */
>char qname[PF_QNAME_SIZE]; /* queue name */
>char parent[PF_QNAME_SIZE]; /* parent name */
>u_int32_tparent_qid;/* parent queue id */
>- u_int32_tbandwidth; /* queue bandwidth */
>+ u_int64_tbandwidth; /* queue bandwidth */
>u_int8_t priority; /* priority */
> #ifdef __FreeBSD__
>u_int8_t local_flags; /* dynamic interface */
>
>
>>
>> Thanks.
>>
>> --
>> ? Calomel @ https://calomel.org
>> ? Open Source Research and Reference
>> ___
>> freebsd...@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
>>
>
>
>
>--
>Ermal
>___
>freebsd...@freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
Re: PF Tables scoping.
James,
I can confirm. If a table is created by an anchor with the same name as
an existing table the following error is printed:
pfctl: warning: namespace collision with global table.
The anchors table is different from the main pf table.
pfctl -vvs Tables
--a-rhC BLOCKTEMP
Addresses: 12
Cleared: Wed Dec 31 19:00:00 1969
pfctl -a games -vvs Tables
--a-r-C BLOCKTEMP games
Addresses: 0
Cleared: Wed Jun 2 16:40:14 2010
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Wed, Jun 02, 2010 at 04:23:54PM -0400, James Records wrote:
>On Wed, Jun 2, 2010 at 10:48 AM, James Records wrote:
>
>> Hi All,
>>
>> Having an issue with anchors and tables again, I had this same issue a
>> couple of years ago in 4.5 but never got any response, hoping someone can
>> shed some light onto what I'm missing here, or if this is even supported,
>> I'm trying to use an overload rule inside of an anchor to populate a table
>> defined outside of all anchors. I haven't seen anything that specifically
>> says this isn't supported, but if thats the case I'd like to get it
>> clarified. Here are snippets of pf.conf that don't work, and one that does,
>> and an explanation of why I can't just use the one that does work without
>> side effects.
>>
>> Thanks in advance,
>>
>> J
>>
>>
>>
>> Doesn't work:
>>
>> ##
>> Tables ###
>> ##
>> table persist
>>
>> #
>> Blocked Sites
>> #
>> anchor "Blocked_Sites" {
>> block in quick from to any
>> }
>>
>> ##
>> ### TEST_IN ###
>> ##
>> anchor "TEST_IN" {
>> pass in log quick on em0 inet proto tcp \
>> from any to \
>> port { 443 } keep state \
>> (max 100, source-track rule, max-src-nodes 10, max-src-states 20,
>> max-src-conn 20, max-src-conn-rate 2/15, overload flush)
>> }
>>
>>
>> But remove the anchor from the overload rule and it works fine:
>>
>> ###
>> Tables
>> ###
>> table persist
>>
>> #
>> Blocked Sites
>> #
>> anchor "Blocked_Sites" {
>> block in quick from to any
>> }
>>
>> ###
>> ### TEST_IN ###
>> ###
>> #anchor "TEST_IN" {
>> pass in log quick on em0 inet proto tcp \
>> from any to \
>> port { 443 } keep state \
>> (max 100, source-track rule, max-src-nodes 10, max-src-states 20,
>> max-src-conn 20, max-src-conn-rate 2/15, overload flush)
>> #}
>>
>> This would be simple enough but I want to be able to parse my logs using
>> the anchor names, this isn't possible using the 2nd method.
>>
>> The docs say this should just work from everything I can tell, I can "read"
>> from a global table from within an anchor but am failing to "write" to it
>> from within an anchor using the overload rule
>>
>
>
>
>Just an update, I've done some more digging, it seems like I'm running into
>an issue where its creating a new table inside the anchor, I'm thinking this
>is just a bug where the table gets created because it doesn't look outside
>of the anchor to see if one already exists, but I just want to get another
>pair of eyes to confirm.
>
>Thanks
>J
>
> pfctl -vvs Tables
>-pa--h-blocked_sites
> Addresses: 0
> Cleared: Wed Jun 2 06:10:20 2010
> References: [ Anchors: 3 Rules: 0 ]
> Evaluations: [ NoMatch: 162Match: 0 ]
> In/Block:[ Packets: 0 Bytes: 0 ]
> In/Pass: [ Packets: 0 Bytes: 0 ]
> In/XPass:[ Packets: 0 Bytes: 0 ]
> Out/Block: [ Packets: 0 Bytes: 0 ]
> Out/Pass:[ Packets: 0 Bytes: 0 ]
> Out/XPass: [ Packets: 0 Bytes: 0 ]
>
>$ pfctl -a "TEST_IN" -vvs Tables
>--a-r--blocked_sites TEST_IN
> Addresses: 1
> Cleared: Wed Jun 2 01:55:11 2010
> References: [ Anchors: 0 Rules: 5 ]
> Evaluations: [ NoMatch: 114Match: 69 ]
> In/Block:[ Packets: 69 Bytes: 6732 ]
> In/Pass: [ Packets: 0 Bytes: 0 ]
> In/XPass:[ Packets: 0 Bytes: 0 ]
> Out/Block: [ Packets: 0 Bytes: 0 ]
> Out/Pass:[ Packets: 0 Bytes: 0 ]
> Out/XPass: [ Packets: 0 Bytes: 0 ]
Re: pf and ftp-proxy active/passive problems
Teemu,
Are you sure the ftp server you are connecting to supports active and
passive ftp? You may want to try your test against ftp.openbsd.org.
This is a linux machine behind a pf firewall (openbsd v4.7) using
ftp-proxy. Both active (PORT) and passive listings seem to work.
$ ftp ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for '/bin/ls'.
total 8
drwxr-xr-x 2 0 0 512 May 4 2009 etc
drwxr-xr-x 3 0 0 512 Jul 21 2009 pub
226 Transfer complete.
$ ftp -p ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca.
ftp> ls
227 Entering Passive Mode (129,128,5,191,214,178)
150 Opening ASCII mode data connection for '/bin/ls'.
total 8
drwxr-xr-x 2 0 0 512 May 4 2009 etc
drwxr-xr-x 3 0 0 512 Jul 21 2009 pub
226 Transfer complete.
Was this the problem?
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Wed, Jun 02, 2010 at 07:23:24PM -0400, Teemu Rinta-aho wrote:
>Hi all,
>
>(First, sorry if you receive this e-mail multiple times,
>I changed my smtp server as the first one doesn't seem
>to get mails to this list.)
>
>my firewall (OpenBSD 4.7) is running packet filter with NAT
>and tcp-proxy to provide FTP for hosts in the network behind
>the firewall/NAT.
>
>The problem is that a host behind the firewall, connecting
>to an FTP server in the internet through the firewall, active
>mode works but passive doesn't. On firewall's external
>interface I can see packets going to the FTP server but no reply
>packets.
>
>Trying FTP directly from the firewall, passive mode works but active
>doesn't (ftp client says "425 Could not open data connection
>to port 55476: Connection refused"). In this case ftp-proxy is
>not used as the firewall should be just like any other ftp client.
>
>I have updated my pf.conf as per the 4.7 upgrade instructions
>and I have run tcpdump to network interfaces as well as pflog0,
>but so far I don't understand what might be wrong. I tried to
>see pf rules or states inserted by ftp-proxy with commands like
>'pfctl -a "ftp-proxy/*" -sr' but either it doesn't print anything
>and trying 'pfctl -a '*' -sr' I get:
>
>
>anchor "*" all {
>pfctl: DIOCGETRULES: Invalid argument
>}
>...
>
>Any help appreciated. It is not a showstopper but pretty annoying,
>as e.g. Firefox defaults to passive mode.
>
>Teemu
Re: pf and ftp-proxy active/passive problems
Teemu, We have to be careful when testing ftp. Different ftp binaries for different OS's use different default options. For example, the ftp binary on OpenBSD v4.7 uses passive ftp by default, so the the commands "ftp" and "ftp -p" are exactly the same. Some older Solaris machines use active only and ftp on Ubuntu 10.04 uses active by default. Passive should work from your firewall, but active (PORT) probably will not. Active will only work if you accept a connection from any ip from port 20 to any upper port on the firewall. Not very common. The machine behind the firewall should be able to do active and passive because the ftp-proxy, if setup correctly, will anchor the proper rules to allow both connection types. For more testing you can setup the ftp-proxy daemon to log its connections to /var/log/daemon using, "/usr/sbin/ftp-proxy -D7 -v". You may also want to add the "log" variable to your Pf rules so you can watch the logs with "tcpdump -n -e -ttt -v -i pflog0". Then make sure you are using the correct ftp arguments for your ftp binary to make a passive and active connection on your LAN machine. Check the man page on the machine behind the firewall. Once you have a reliable set of test responses you should have a better idea of where the problem is. Make sense? BTW, we have examples of Pf and ftp-proxy on our site; see signature. I checked out your pf.conf. If you have time you may want to try putting your ps3 and NHL10 rules in an anchor to clean things up. How about adding QOS so the gamers get higher network priority? :) -- Calomel @ https://calomel.org Open Source Research and Reference On Thu, Jun 03, 2010 at 02:14:53AM -0400, Teemu Rinta-aho wrote: >On Jun 3, 2010, at 3:51 AM, Calomel Org wrote: > >> Teemu, >> >> Are you sure the ftp server you are connecting to supports active and >> passive ftp? You may want to try your test against ftp.openbsd.org. > >That is a very good point. I thought so as I got both modes working >from different nodes, but I am not sure any more. I tried to >ftp.openbsd.org and the results are different indeed. > >>From a host behind my pf machine: > >host$ ftp ftp.openbsd.org >Connected to openbsd.sunsite.ualberta.ca. >ftp> ls >229 Entering Extended Passive Mode (|||60318|) >ftp: Can't connect to `129.128.5.191': Connection refused >200 EPRT command successful. >150 Opening ASCII mode data connection for '/bin/ls'. >total 8 >drwxr-xr-x 2 0 0 512 May 4 2009 etc >drwxr-xr-x 3 0 0 512 Jul 21 2009 pub >226 Transfer complete. > >host$ ftp -p ftp.openbsd.org >Connected to openbsd.sunsite.ualberta.ca. >ftp> ls >229 Entering Extended Passive Mode (|||63762|) >ftp: Can't connect to `129.128.5.191': Connection refused > >>From the pf machine: > >fw$ ftp ftp.openbsd.org >Connected to openbsd.sunsite.ualberta.ca. >ftp> ls >150 Opening ASCII mode data connection for '/bin/ls'. >total 8 >drwxr-xr-x 2 0 0 512 May 4 2009 etc >drwxr-xr-x 3 0 0 512 Jul 21 2009 pub >226 Transfer complete. > >fw$ ftp -p ftp.openbsd.org >Connected to openbsd.sunsite.ualberta.ca. >ftp> ls >150 Opening ASCII mode data connection for '/bin/ls'. >total 8 >drwxr-xr-x 2 0 0 512 May 4 2009 etc >drwxr-xr-x 3 0 0 512 Jul 21 2009 pub >226 Transfer complete. > >If that doesn't ring a bell and you still have time and >interest, my pf.conf is at http://www.rinta-aho.org/tmp/pf.conf > >Thanks! > >Teemu
Re: PF BINAT on entire /24 subnet
Paolo, You may need to use the bitmask directive. bitmask - grafts the network portion of the pool address over top of the address that is being modified (source address for nat-to rules, destination address for rdr-to rules). Example: if the address pool is 192.0.2.1/24 and the address being modified is 10.0.0.50, then the resulting address will be 192.0.2.50. If the address pool is 192.0.2.1/25 and the address being modified is 10.0.0.130, then the resulting address will be 192.0.2.2. http://www.openbsd.org/faq/pf/pools.html -- Calomel @ https://calomel.org Open Source Research and Reference On Sat, Jun 05, 2010 at 11:41:43AM -0400, Paolo Reyes Balleza wrote: >Hello all, > >I was using pf's (OBSD 4.6) binat for openvpn purposes with >192.168.0.0/24 binatted to 192.0.2.0/24 since I can't renumber the local >LAN to avoid the overlap. > >This doesn't work with current: >match on tun0 from 192.168.0.0/24 to any binat-to 192.0.2.0/24 >for the entire subnet any more. > >Everything gets routed to 192.168.0.0 no matter what "external" host >address I use. It used to be that 192.0.2.1 would map out to >192.168.0.1. > >One to one mapping does work though. > >Is this the new behaviour of pf? > >Just asking because it'd be a PITA to map each host. > >Cheers and thanks in advance.
Re: PF cluestick please - low priority queue spills over into normal queue
Aaron,
When you say, "seem to spill over into the normal queue" do you mean
the bittor queue is borrowing bandwidth from the total amount of
bandwidth available?
You may need to set a limit on the bittor queue if you want to limit
its bandwidth. The OpenBSD Faq says, CBQ queues are arranged in an
hierarchical manner. At the top of the hierarchy is the root queue
which defines the total amount of bandwidth available. Child queues
are created under the root queue, each of which can be assigned some
portion of the root queue's bandwidth. For example, queues might be
defined as follows:
Root Queue (2Mbps)
Queue A (1Mbps)
Queue B (500Kbps)
Queue C (500Kbps)
Also, you can use HFSC queueing for this as well.
Hierarchical Fair Service Curve (HFSC) of OpenBSD
https://calomel.org/pf_hfsc.html
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Tue, Jan 05, 2010 at 07:14:59PM -0500, Aaron Mason wrote:
>Hi all,
>
>I've got the following pf.conf file for limiting bittorrent
>connections and providing higher priority to a game server. While the
>latter works wonderfully, the bittorrent connections seem to spill
>over into the normal queue and it's driving me crazy.
>
>My /etc/pf.conf file is as follows:
>set skip on lo
>
># Setting some constants
>prio_port = "{ 22 53 5900 }"
>shiori = "192.168.2.241/32"
>chechemaru = "192.168.2.251/32"
>wired_if = "rl0"
>wlan_if= "ath0"
>
>hi_bw = "33Mb"
>norm_bw = "20Mb"
>lo_bw = "178415b"
>
>altq on $wired_if cbq bandwidth 54Mb queue { wired_hi, wired_norm, wired_lo }
> queue wired_hi bandwidth $hi_bw priority 2
> queue wired_norm bandwidth $norm_bw cbq(default) priority 3
> queue wired_lo bandwidth $lo_bw priority 4
>
>altq on $wlan_if cbq bandwidth 54Mb queue { wlan_hi, wlan_norm, wlan_lo }
> queue wlan_hi bandwidth $hi_bw priority 2
> queue wlan_norm bandwidth $norm_bw cbq(default) priority 3
> queue wlan_lo bandwidth $lo_bw priority 4
>
># SSH and DNS traffic as well
>pass out quick on $wired_if proto { tcp udp } to any port $prio_port \
> queue wired_hi
>pass out quick on $wired_if proto { tcp udp } from any port $prio_port \
> queue wired_hi
>pass out quick on $wlan_if proto { tcp udp } to any port $prio_port \
> queue wlan_hi
>pass out quick on $wlan_if proto { tcp udp } from any port $prio_port \
> queue wlan_hi
>
>#High priority to Shiori
>pass out quick on $wired_if to $shiori queue wired_hi
>pass out quick on $wlan_if from $shiori queue wlan_hi
>
>#Low priority and limiting to Chechemaru
>#NOTE: BT connections are bidirectional, hence the seemingly \
>#redundant rules
>pass out quick on $wired_if to $chechemaru queue wired_lo
>pass out quick on $wired_if from $chechemaru queue wired_lo
>pass out quick on $wlan_if to $chechemaru queue wlan_lo
>pass out quick on $wlan_if from $chechemaru queue wlan_lo
>
># Everything else gets normal priority
># pass out quick on $wired_if queue wired_norm
>#pass
>block in on ! lo0 proto tcp to port 6000:6010
>
>A typical output from pftop shows the contents of
>http://paste2.org/p/596043 - notice the upstream going crazy.
>Unfortunately pfTop hasn't been updated to take advantage of the
>changes to pf, so it refuses to display the rules. I'd do it myself
>if I had a better understanding of how pf worked within, but I'm not
>quite at that stage yet.
>
>A very hard cluestick is greatly appreciated, to go along with the
>concussion I am suffering from banging my head on the desk.
>
>Regards
>
>
>--
>Aaron Mason - Programmer, open source addict
>I've taken my software vows - for beta or for worse
Re: possible to configure PF to simulate latency and 1% packet loss?
Andres, You can add packet loss by using the probability argument on a pf rule. You use either a block or pass rule. probability A probability attribute can be attached to a rule, with a value set between 0 and 1, bounds not included. In that case, the rule will be honored using the given probability value only. For ex- ample, the following rule will drop 20% of incoming ICMP packets: block in proto icmp probability 20% I do not believe you can add latency timings using PF. I agree, this would be very helpful for testing. -- Calomel @ https://calomel.org Open Source Research and Reference On Fri, Jan 22, 2010 at 03:13:09PM -0500, Andres Salazar wrote: >Hello, > >Is it possible to do some rule in pf to simulate 300ms of latency? >This is for testing purposes. > >A plus would be to simulate 1% packet loss. > >Many Thanks!!
Re: AMD power reduction
You can use apm. It will only save a few watts, but it may reduce the cooling costs by reducing the heat generated by the CPU. If you have _many_ machines you can easily reduce the temperature of the server room by a few degrees C. Advanced Power Management control https://calomel.org/apm_control.html -- Calomel @ https://calomel.org Open Source Research and Reference On Fri, Feb 05, 2010 at 11:37:16AM -0500, Jean-Francois wrote: >Le vendredi 05 fivrier 2010 11:17:51, vous avez icrit : >> On 04/02/2010 23:02, Jean-Francois wrote: >> > All, >> > >> > I am looking forward to reduce the TDP for a server planned to be built. >> > As low as possible shall be best, is AMD cool'n quiet operating with >> > latest OpenBSD ? >> > >> > Regards >> >> Depending on what you where looking at, you can reduce the voltages (if >> your BIOS has this much control) and this will lower power/heat. I've >> done this on PC's with bad HSF in hot temperatures. Though, like over >> clocking, it's an art that requires testing, trying and patience to find >> the lowest/highest while still being stable >> > >Hello, > >I think of doing this too. >What I would like to understand is if I will be able to use the frequency >change 1000 / 2000 MHz dynamic load based. > >Regards
Re: online documentation for new smtpd
For official docs I think the man pages are it. They should contain everything you need to get a working smtpd.conf . We put together a page with a few working examples. Opensmptd works fine for a low volume mail server and is very stable. It has been running for a few months with no issues. OpenSMTPD "how to" (smtpd.conf) https://calomel.org/opensmtpd.html -- Calomel @ https://calomel.org Open Source Research and Reference On Tue, Jul 21, 2009 at 12:23:31PM -0400, Lars Nooden wrote: >I find the two manpages, smtpd(8) and smtpd.conf(5), in current. > >Is there an official online documentation or project page available for >the new stmpd? > >Regards >-Lars
