On Wed, Mar 02, 2016 at 10:46:08PM +1000, David Gwynne wrote:
> > On 2 Mar 2016, at 1:51 AM, Christopher Sean Hilton <[email protected]>
> > wrote:
> >
> > I would like to apply queueing to packets traversing a gif tunnel. I'd
> > like to know what works better, Tagging outbound packets on the gif
> > interface and applying them to queues by tag when they leave on the
> > external interface? Or assigning packets to the queues directly when
> > they are on the gif interface?
> >
> > If I understand things correctly queues work on interfaces. That leads
> > me to think that tagging for later queueing is the better approach.
>
> in this instance it shouldn't matter. however, if you have multiple
> outgoing interfaces the gif traffic can leave on, it's better to
> apply the policy on the gif interface.
I think I can re-phrase the question in a better way: I'm using gif0
to tunnel IPv6 over IPv4 from my local network via Hurricane Electric
to the internet. Since gif0 is a tunnelling interface all my outbound
traffic will ultimately traverse my external interface, ext_if, which
has a set of queues. I want my IPv6 traffic to be subject to queues on
ext_if.
My understanding is that queues are interface specific so I suspect
that doing this:
queue ob_root on $ext_if bandwidth 1000M qlimit 304
queue ob_ext parent ob_root bandwidth 40M qlimit 48
queue ob_ext_priority parent ob_ext ...
queue ob_ext_ssh parent ob_ext ...
queue ob_ext_default parent ob_ext ... default
queue ob_ext_low parent ob_ext ...
queue ob_local parent ob_root bandwidth 960M qlimit 256
...
## Example (1): Will this work?
pass out on gif0 proto tcp to any port 22 \
flags S/SA keep state \
queue (ob_ext_ssh, ob_ext_priority) prio (4, 5)
## Example (2): I expect this to work because tags are designed to be sticky
match out on gif0 proto { udp, tcp } to any port 53 \
flags S/SA keep state \
tag OB_EXT_PRIORITY
...
match out on $ext_if tagged OB_EXT_PRIORITY \
queue ob_ext_priority prio 5
I don't know what will happen with example (1). But I expect that
example (2) will work because tags are designed to be sticky.
This thread implies that at one time queues were not sticky:
http://misc.openbsd.narkive.com/BXucT1to/pf-queue-filter-directive-sticky
The pf man page and later threads imply that queues have become sticky
but the man page only refers to the match keyword.
Is it the match keyword that makes queues sticky or did the change in
pf way back when, change them from non-sticky to sticky?
--
Chris
__o "All I was trying to do was get home from work."
_`\<,_ -Rosa Parks
___(*)/_(*)____.___o____..___..o...________ooO..._____________________
Christopher Sean Hilton [chris/at/vindaloo/dot/com]
