[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Re: preferencing also HTTPS
From:       Daniel Hartmeier <daniel () benzedrine ! cx>
Date:       2004-07-22 20:09:22
Message-ID: 20040722200922.GI6134 () insomnia ! benzedrine ! cx
[Download RAW message or body]

On Thu, Jul 22, 2004 at 07:49:03AM +0000, Carl Smith wrote:

> While in the process of gathering info for upgrading my NetBSD firewall to 
> OpenBSD with PF I came across the rules to prioritize ACK's. I will be 
> implementing this as some of my users download alot of ISO images making it 
> slower for others (and me!)
> 
> Looking at these rules I see nowhere what packages are prioritized .. is 
> this defined in altq already ?
> 
> I would like to prioritize my webmail (squirrelmail) so I need to 
> prioritize also HTTPS traffic. How can I add this ? IMAP trafic is done on 
> the loopback so no filtering needed there.

Each filter rule in pf can specify a 'queue (def, pri)' option, where
'def' and 'pri' are two arbitrary queue names (which you define in the
altq/queue section of pf.conf).

Packets matching the rules (or states created from these rules) get
assigned to either of the two queues specified in the rule's option.
Packets with TOS (type of service, an IP option) LOW_DELAY (used by
interactive ssh connections, for instance) and TCP packets without
payload automatically go the second queue ('pri' in the example above),
anything else to the first one ('def'). This part is hard-coded, you
can't change the criteria by which either of those two queues are
chosen.

But of course you can (and should, for your setup) specify different
queues in different rules. Like, define three queues q_low, q_def and
q_max, and use 'queue (q_def, q_max)' in rules for connections you want
to prioritize and 'queue (q_low, q_def)' for others. You might define
more than three queues, to get finer-grained control.

If, for some rule, you don't care about the automatic distinguishing of
TOS/empty TCP, you can just use 'queue (foo)' instead of 'queue (foo,
foo)', they are the same.

HTTPS traffic is defined by the port number used (TCP port 443, see
/etc/services), so to use a specific queue for such traffic, make sure
you have a rule that matches HTTPS traffic specifically (and actually
the last matching rule for HTTPS traffic), and put the 'queue ()' option
there. Same for IMAP.

Daniel
[prev in list] [next in list] [prev in thread] [next in thread]