altq within anchor

Tom Judge tom at tomjudge.com
Thu Oct 4 13:32:42 PDT 2007 

Umar wrote:
> Dear members!
> 
> I want to include altq anchor within my pf.conf but i got error.
> 
> here is the altqrule file /home/anchor-altq
> 
>  altq on fxp0 bandwidth 100Mb cbq queue { default, ip4, ip5, ip6, ip7 }
>  queue default bandwidth 90Mb cbq (default)
>  queue ip bandwidth 90Kb
>  queue ip5 bandwidth 90Kb
>  queue ip6 bandwidth 90Kb
>  queue ip7 bandwidth 90Kb
>  anchor altqrules
> 
> here is my /etc/pf.conf file 
> 
> <-------snip-------->
> 
> int_if = "fxp0"
> ext_if = "rl0"
> lan_net = "192.168.1.0/24"
> 
> # Options: tune the behavior of pf, default values are given.
> set timeout { interval 10, frag 30 }
> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> set timeout { icmp.first 20, icmp.error 10 }
> set timeout { other.first 60, other.single 30, other.multiple 60 }
> set timeout { adaptive.start 0, adaptive.end 0 }
> set limit { states 10000, frags 5000 }
> 
> set loginterface none
> set optimization normal
> set block-policy drop
> set require-order yes
> set fingerprints "/etc/pf.os"
> 
> # Normalization: reassemble fragments and resolve or reduce traffic
> ambiguities.
> scrub in all
> 
> # Bandwidth Shapping
> anchor altqrules
> load anchor altqrules from "/home/anchor-altq"
> 
> # Translation: specify how addresses are to be mapped or redirected.
> nat on $ext_if from { $lan_net } to any -> ($ext_if)
> 
> pass in quick on lo0 all
> pass in quick on $int_if from $lan_net to any keep state
> pass out on $int_if from any to any keep state
> pass out on $ext_if from any to any keep state
> 
> #  default deny
> block in log on $ext_if
> 
> <-------snip-------->
> 
> but when i reload my pf i got the error
> 
> Reloading pf rules.
> /etc/pf.conf:36: Rules must be in order: options, normalization, queueing,
> translation, filtering
> /etc/pf.conf:37: Rules must be in order: options, normalization, queueing,
> translation, filtering
> /etc/pf.conf:38: Rules must be in order: options, normalization, queueing,
> translation, filtering
> /etc/pf.conf:39: Rules must be in order: options, normalization, queueing,
> translation, filtering
> 
> 
> Please help what should i do?
> 
> Regards,
> 
> Umar Draz
Hi,

As the above messages state the rules must be present in the rules file 
in a fixed order:

1) Options

2) Normalization

3) Queueing (Aka ALTQ)

4) Translation (Aka NAT)

5) Filtering

Quote from pf.conf(5):
<quote>
With the exception of macros and tables, the types of statements should 
be grouped and appear in pf.conf in the order shown above, as this 
matches the operation of the underlying packet filtering engine. By 
default pfctl(8) enforces this order (see set require-order below).
</quote>

And again from pf.conf(5)
<quote>
set require-order
     By default pfctl(8) enforces an ordering of the statement types in 
the ruleset to: options, normalization, queueing, translation, 
filtering.  Setting this option to no disables this enforcement. There 
may be non-trivial and non-obvious implications to an out of order 
ruleset.  Consider carefully before disabling the order enforcement.
</quote>


Tom

More information about the freebsd-pf mailing list