altq will nicht ...

M

merl

Member
hallo,

also nach dem bau eines neuen kernels mit altq ...

schnipp--------------
altq on rl0 cbq bandwidth 11Mb queue { std, endor_bt }
queue std bandwidth 10Mb cbq(default)
queue endor_bt bandwidth 12Kb
pass out quick on rl0 proto { tcp, udp } from $endor port $bittorrent_tcp to any queue endor_bt
schnapp-------------

leider wird hier nix begrenzt ... warum ist mir eigendlich unklar ...

hat jemand einen tip?

gruss merl
 
Hello.
Was für options hast du in die "kernelconf" aufgenommen.
Welche files schauen wie aus wäre evtl auch interresant.
schnipp - schnapp macht nur das Krokodil ohne zu wissen woher und wohin. ;)

MfG nap
 
Zuletzt bearbeitet:
hallo,

also hier die kernel optionen:
options ALTQ
options ALTQ_CBQ # Class Bases Queueing
options ALTQ_RED # Random Early Drop
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler
options ALTQ_CDNR # Traffic conditioner
options ALTQ_PRIQ # Prioirity Queueing
options ALTQ_NOPCC # Required for SMP build

rc.conf:
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
log_logfile="/var/log/pflog"
pflog_flags=""

pf.conf

# Interfaces
dmz_if = "fxp0"
int_if = "fxp1"
ext_if = "rl0"

# Rechner
phantom = "212.21.69.98"
endor = "212.21.69.100"
mailrelay = "212.21.75.66"

# Vergeben IP's auf User
hagenip = "{ 212.21.68.36, 212.21.68.37, 212.21.68.40 }"
timmip = "{ 212.21.68.38, 212.21.68.39 }"
gunnarip = "{ 212.21.68.34, 212.21.68.35 }"
eleip = "212.21.68.41"
toralfip = "{ 212.21.68.33, 212.21.68.44 }"
ankeip = "{ 212.21.68.42, 212.21.68.43 }"

# Zugangsberechtigung fuer SSH
sshrech = "{ 212.21.69.97, 212.21.69.100 }"
remote = "{ 194.114.76.60, 212.21.75.66 }"

# Ports
admin_services = "22"
mail_services = "25"
tcp_services = "{ 21, 20, 53, 123, 443, 8880 }"
udp_services = "{ 123, 24580, 24501 }"
bittorrent_tcp = "{ 6969, 6881:6889, 3881:3889 }"
voip_tcp_udp = "{ 3478, 3479, 5000:5010, 5060:5070, 7000:7010, 8000:8010, 10000 }"

# BlackIP's aus Blockliste auslesen
table <spyware> persist file "/blocklisten/blocklist.txt"

# Setzen von Optionen
set loginterface $ext_if
set optimization aggressive
scrub in all

# Traffic Managment
altq on $ext_if cbq bandwidth 11Mb queue { std, endor_bt }
queue std bandwidth 10Mb cbq(default)
queue endor_bt bandwidth 12Kb

# Redirect Regeln
rdr on $int_if proto tcp from any to any port 80 -> 212.21.96.98
rdr on $dmz_if proto tcp from any to any port 80 -> 212.21.96.98
rdr on $int_if proto tcp from any to any port 8888 -> 127.0.0.1 port 8118
rdr on $dmz_if proto tcp from any to any port 8888 -> 127.0.0.1 port 8118
rdr on $int_if proto tcp from any to any port 8080 -> 212.21.75.251 port 3128

rdr on $dmz_if proto tcp from any to any port 8080 -> 212.21.75.251 port 3128

# Generelle Block Regel
block in all
block out on $ext_if from 212.21.69.100 to any

# Freiwillig machen wir keinen mucks ;)
block return log on $ext_if

# Wir wollen kein IPv6.0
block quick inet6

# Block HotIps
block quick log from any to <spyware>

# Auf dem Loopback alles erlauben
pass quick on lo0 all

# Rules zum Redirect
pass in quick on $int_if proto tcp from any to ($int_if) port 80
pass in quick on $int_if proto tcp from any to ($dmz_if) port 80
pass in quick on $int_if proto tcp from any to ($int_if) port 8080
pass in quick on $dmz_if proto tcp from any to ($dmz_if) port 8080
pass in quick on $int_if proto tcp from any to ($int_if) port 8888
pass in quick on $dmz_if proto tcp from any to ($dmz_if) port 8888

# Video und RealStreaming
pass in quick on $int_if proto udp from any port 6970:7170 to any keep state
pass in quick on $int_if proto tcp from any port { 7070, 7071, 554 } to any keep state
pass in quick on $dmz_if proto udp from any port 6970:7170 to any keep state
pass in quick on $dmz_if proto tcp from any port { 7070, 7071, 554 } to any keep state

# VOIP Ports
pass quick proto { tcp, udp } from any to any port $voip_tcp_udp keep state

# HTTP, SSH, FTP, NTP, DBOX
pass quick proto tcp from any port $tcp_services to any keep state

pass in quick log on $ext_if proto tcp from $remote to $sshrech port $admin_services flags S/SA keep state

pass in quick on $ext_if proto udp from any to any port $udp_services keep state
pass in quick on $dmz_if proto udp from any to any port $udp_services keep state
pass in quick on $int_if proto udp from any to any port $udp_services keep state

pass in quick log on $ext_if proto tcp from any to ($ext_if) port 80 flags S/SA synproxy state

pass in quick on $ext_if proto tcp from $mailrelay to ($ext_if) port $mail_services keep state

# Rules Site endor.port-x.de
pass in quick log on $ext_if proto tcp from any to $endor port 80 flags S/SA synproxy state
pass in quick on $ext_if proto { tcp, udp } from any to $endor port $bittorrent_tcp
pass out quick on $ext_if proto { tcp, udp } from $endor port $bittorrent_tcp to any queue endor_bt
# Ende Site endor.port-x.de

# User Rules Site hagen.port-x.de
pass in quick on $ext_if proto tcp from any to 212.21.68.40 port { 80, 8080 } flags S/SA synproxy state
# Ende Site hagen.port-x.de

# User Rules Mario's PowerBook
pass in quick on $dmz_if proto { tcp, udp } from 212.21.69.103 to any port $bittorrent_tcp keep state
pass in quick on $ext_if proto { tcp, udp } from any to 212.21.69.103 port $bittorrent_tcp keep state
# Ende Mario's PowerBook

# ICMP
pass out quick on $int_if proto { udp, icmp } all keep state
pass out quick on $dmz_if proto { udp, icmp } all keep state
pass out quick on $int_if proto tcp from any to any port { 22, 23 } keep state
pass out quick on $dmz_if proto tcp from any to any port { 22, 23 } keep state

# WLAN <> LAN
pass in quick on $int_if from $int_if:network to any keep state
pass out quick on $int_if from any to $int_if:network keep state
pass in quick on $dmz_if from $dmz_if:network to any keep state
pass out quick on $dmz_if from any to $dmz_if:network keep state

# Ausgang nach zum Internet
pass out quick on $ext_if proto tcp all modulate state flags S/SA
PASS out quick on $ext_if proto { udp, icmp } all keep state
 
Vergessen noch zuzufügen:

also eigendlich funktioniert alles, natuerlich kann die pf.conf noch optimiert werden, bin ja gerade erst dabei
mich dort einzuarbeiten. aber das altq scheint irgendwie überhaupt nicht zu wollen.

ps: auch haette ich jetzt alles ips aendern koennen, aber ich habe nix zu verbergen ... ;-) ;-)
 
Folgende Zeilen stammen aus der Feder eines
Sonymitarbeiters der sich damit beschäftigt hat.
{http://www.csl.sony.co.jp/person/kjc/software/TIPS.txt}
---
Q. CBQ doesn't work as I expected.
A. It is not easy to track down problems.
My rule of thumb to track down problems:
- watch out for possible interference: CPU or link could
get saturated before queueing takes place.
- start with a simple setting, add complexity step by step.
- use "altqstat" to get the statistics and the internal
state of CBQ.
- try a kernel with a fine-grained timer value. if the
problem is gone, there must be some granularity
mismatching.
---
Weiters gibts da noch eine altq debug option für denn Kernel.

Das sollte dir helfen, vor Ort, das Problem einzugrenzen.

Versionsangaben sind meist auch nützlich bei der Fehlersuche.

Leider hab ich nicht die entsprechenden Resourcen um die
Problemstellung nachzubilden
ist aber eine interessante Thematik.

PS.:Hast du nicht mal gepostet das dir pf/altq so taugt?

Viel Spass.

MfG nap
 
Du musst dich einloggen oder registrieren, um hier zu antworten.
Zurück
Oben