altq within anchor

Thu Oct 4 14:32:29 PDT 2007

Tom Judge wrote:
> Umar wrote:
>> Dear members!
>>
>> I want to include altq anchor within my pf.conf but i got error.
>>
>> here is the altqrule file /home/anchor-altq
>>
>>  altq on fxp0 bandwidth 100Mb cbq queue { default, ip4, ip5, ip6, ip7 }
>>  queue default bandwidth 90Mb cbq (default)
>>  queue ip bandwidth 90Kb
>>  queue ip5 bandwidth 90Kb
>>  queue ip6 bandwidth 90Kb
>>  queue ip7 bandwidth 90Kb
>>  anchor altqrules
>>
>> here is my /etc/pf.conf file
>> <-------snip-------->
>>
>> int_if = "fxp0"
>> ext_if = "rl0"
>> lan_net = "192.168.1.0/24"
>>
>> # Options: tune the behavior of pf, default values are given.
>> set timeout { interval 10, frag 30 }
>> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
>> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
>> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
>> set timeout { icmp.first 20, icmp.error 10 }
>> set timeout { other.first 60, other.single 30, other.multiple 60 }
>> set timeout { adaptive.start 0, adaptive.end 0 }
>> set limit { states 10000, frags 5000 }
>>
>> set loginterface none
>> set optimization normal
>> set block-policy drop
>> set require-order yes
>> set fingerprints "/etc/pf.os"
>>
>> # Normalization: reassemble fragments and resolve or reduce traffic
>> ambiguities.
>> scrub in all
>>
>> # Bandwidth Shapping
>> anchor altqrules
>> load anchor altqrules from "/home/anchor-altq"
>>
>> # Translation: specify how addresses are to be mapped or redirected.
>> nat on $ext_if from { $lan_net } to any -> ($ext_if)
>>
>> pass in quick on lo0 all
>> pass in quick on $int_if from $lan_net to any keep state
>> pass out on $int_if from any to any keep state
>> pass out on $ext_if from any to any keep state
>>
>> #  default deny
>> block in log on $ext_if
>>
>> <-------snip-------->
>>
>> but when i reload my pf i got the error
>>
>> Reloading pf rules.
>> /etc/pf.conf:36: Rules must be in order: options, normalization, 
>> queueing,
>> translation, filtering
>> /etc/pf.conf:37: Rules must be in order: options, normalization, 
>> queueing,
>> translation, filtering
>> /etc/pf.conf:38: Rules must be in order: options, normalization, 
>> queueing,
>> translation, filtering
>> /etc/pf.conf:39: Rules must be in order: options, normalization, 
>> queueing,
>> translation, filtering
>>
>>
>> Please help what should i do?
>>
>> Regards,
>>
>> Umar Draz
> Hi,
> 
> As the above messages state the rules must be present in the rules file 
> in a fixed order:
> 
> 1) Options
> 
> 2) Normalization
> 
> 3) Queueing (Aka ALTQ)
> 
> 4) Translation (Aka NAT)
> 
> 5) Filtering
> 
> Quote from pf.conf(5):
> <quote>
> With the exception of macros and tables, the types of statements should 
> be grouped and appear in pf.conf in the order shown above, as this 
> matches the operation of the underlying packet filtering engine. By 
> default pfctl(8) enforces this order (see set require-order below).
> </quote>
> 
> And again from pf.conf(5)
> <quote>
> set require-order
>     By default pfctl(8) enforces an ordering of the statement types in 
> the ruleset to: options, normalization, queueing, translation, 
> filtering.  Setting this option to no disables this enforcement. There 
> may be non-trivial and non-obvious implications to an out of order 
> ruleset.  Consider carefully before disabling the order enforcement.
> </quote>
> 
> 
> Tom
Further to my original reply, having realised I have not given a 
complete answer, there are four types of anchor available in PF

nat-anchor - Holds nat rules
rdr-anchor - Holds rdr rules
binat-anchor - Holes binat riles
anchor - Holds filter rules

And referring to my last post from this it can be seen that by using a 
standard filter anchor you start the filter section of the configuration 
which in turn violates the rule ordering rules.

Tom

PS: All of the above information was taken from the pf.conf man page.