[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: Priority fixes for pf.conf(5)
From:       Jason McIntyre <jmc () kerhand ! co ! uk>
Date:       2013-11-27 15:17:10
Message-ID: 20131127151811.GC180 () harkle ! home ! gateway
[Download RAW message or body]

On Sun, Oct 27, 2013 at 08:33:28AM +0200, Timo Myyr?? wrote:
> Hi,
> 
> I was reviewing my firewall rules and got confused about priority rules.  I
> wasn't certain was it better to have higher priority number for a rule or
> lower. After some digging it seems that the higher priority numbers get
> processed first. I think the pf.conf(5) man page should document this so others
> shouldn't have to dig for this info from PF FAQ. I don't 
> 
> While I looked for the priority info I noticed the queuing section has wrong
> priorities listed in the example rule.
> 
> Here's a small patch to fix both.
> 
> Timo
> 
> Index: man5/pf.conf.5
> ===================================================================
> RCS file: /cvs/src/share/man/man5/pf.conf.5,v
> retrieving revision 1.530
> diff -u -u -p -r1.530 pf.conf.5
> --- man5/pf.conf.5      12 Oct 2013 21:44:57 -0000      1.530
> +++ man5/pf.conf.5      27 Oct 2013 06:32:23 -0000
> @@ -646,6 +646,8 @@ code point in the 802.1Q VLAN header.
>  If two priorities are given, packets which have a TOS of
>  .Ar lowdelay
>  and TCP ACKs with no data payload will be assigned to the second one.
> +Packets with higher priority number are processed first and packets with
> +the same priority are processed in a round-robin fashion.
>  .Pp
>  For example:
>  .Bd -literal -offset indent
> @@ -1551,7 +1553,7 @@ pass out on em0 inet proto tcp from $dev
>  pass out on em0 inet proto tcp from $employeehosts to any port 80 \e
>        set queue employees
>  pass out on em0 inet proto tcp from any to any port 22 \e
> -      set (queue(ssh_bulk, ssh_interactive), prio (6, 3))
> +      set (queue(ssh_bulk, ssh_interactive), prio (3, 6))
>  pass out on em0 inet proto tcp from any to any port 25 \e
>        set queue mail
>  .Ed
> 

right, sorry to take so long. the bulk of your diff is in (thanks), but
equal priority packets are processed in the order in which they are
received, not round robin (sez henning).

thanks for your mail,
jmc

[prev in list] [next in list] [prev in thread] [next in thread]