simple altq on RELENG_10 issue

Mike Tancsa mike at sentex.net
Wed Sep 16 16:04:18 UTC 2015 

I am trying to get some simple altq rules working to limit a box from
maxing out its allocated bandwidth.  Its RELENG_10 (r287826), AMD64.
if_re is the interface.


altq on $ext_if hfsc bandwidth 1Mb queue { http, other }


block in log all

pass in log from <TRUSTED> to any keep state
pass in log inet6 from <TRUSTED6> to any keep state
pass in log inet6 proto icmp6 from any to any keep state
pass in log inet proto icmp from any to any keep state


pass in log on $ext_if inet proto tcp from any to any port 22 keep state

pass out log on  $ext_if proto tcp from any to any port {80,443} queue http
pass out log on  $ext_if inet6 proto tcp from any to any port {80,443}
queue http

pass out log on  $ext_if from any to any keep state queue other
pass out log on  $ext_if proto tcp from any to any port {80,443} queue http
pass out log on  $int_if from any to any keep state
pass out log on  $ext_if inet6 from any to any keep state  queue other
pass in log on $ext_if inet6 proto tcp from any to any port {443,22}
keep state



The interface is 10Mb ethernet. I set the rule to 1Mb just to see if it
was an issue of altq not being very accurate. But no matter what, doing a
fetch -4 -o /dev/null http://somebigfile
has the speed at about 10Mb...


Its in the kernel

% sysctl -A | grep -i altq
options ALTQ_NOPCC
options ALTQ_PRIQ
options ALTQ_CDNR
options ALTQ_HFSC
options ALTQ_RIO
options ALTQ_RED
options ALTQ_CBQ
options ALTQ

When I start the fetch, looking at the state table
pfctl -ss -v -v

all tcp xx.yy.zz.9:14313 -> aa.bb.cc.33:80       ESTABLISHED:ESTABLISHED
   [2866979674 + 66560] wscale 6  [2041348410 + 196224] wscale 6
   age 00:00:07, expires in 24:00:00, 2896:5787 pkts, 150721:8613084
bytes, rule 9
   id: 0700000055f98086 creatorid: 8451a24d

and its the rule

@9 pass out log on re0 proto tcp from any to any port = http flags S/SA
keep state queue http
  [ Evaluations: 3         Packets: 13038     Bytes: 13118285    States:
1     ]
  [ Inserted: uid 0 pid 1836 State Creations: 1     ]




-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

More information about the freebsd-pf mailing list