Limit downloading using the new queueing subsystem (OpenBSD-5.4)

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Limit downloading using the new queueing subsystem (OpenBSD-5.4)

Wesley MOUEDINE ASSABY
Hi,

I built this small network:

192.168.1.0/29----axe0-obsd54-re0---WAN

I want to limit a host (192.168.1.1/29) to download at 10KBps.
The pf ruleset is loaded. I can see the queue "employee" used
but download is still high, not limited at 10 KBps.

# pfctl -vvs queue

  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:    
0 ]
  [ qlength:   0/ 50 ]
queue restriction on axe0 bandwidth 800K qlimit 50
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:    
0 ]
  [ qlength:   0/ 50 ]
queue employee parent restriction on axe0 bandwidth 10K qlimit 50
  [ pkts:       1744  bytes:    2496373  dropped pkts:      0 bytes:    
0 ]
  [ qlength:   0/ 50 ]
queue network parent restriction on axe0 bandwidth 790K default qlimit
50
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:    
0 ]
  [ qlength:   0/ 50 ]

Is there someone to help me on ?

For more informations, see below :

# uname -a

OpenBSD testing.pf.queue 5.4 GENERIC.MP#80 i386

# cat /etc/pf.conf

employee="192.168.1.1"

set skip on lo

match out on egress inet from lan:network to any nat-to egress
match in all scrub (no-df max-mss 1440)

queue restriction on axe0 bandwidth 800K
queue employee parent restriction bandwidth 10K
queue network parent restriction bandwidth 790K default

block all

pass out on egress
pass in on egress inet proto tcp from egress:network to any port ssh

pass in log quick on lan from $employee set queue employee
pass in on lan


# ifconfig

lo0: flags=8049 mtu 33192
        priority: 0
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
re0: flags=8843 mtu 1500
        lladdr 00:1e:33:25:a5:33
        priority: 0
        groups: egress
        media: Ethernet autoselect (1000baseT
full-duplex,rxpause,txpause)
        status: active
        inet6 fe80::21e:33ff:fe25:a533%re0 prefixlen 64 scopeid 0x2
        inet 192.168.0.19 netmask 0xffffffe0 broadcast 192.168.0.31
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
axe0: flags=8843 mtu 1500
        lladdr 00:50:b6:0b:e2:7d
        priority: 0
        groups: lan
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.1.4 netmask 0xfffffff8 broadcast 192.168.1.7
        inet6 fe80::250:b6ff:fe0b:e27d%axe0 prefixlen 64 scopeid 0x5
pflog0: flags=141 mtu 33192
        priority: 0
        groups: pflog

Thank you very much for your precious help!

Regards,

Wesley

Reply | Threaded
Open this post in threaded view
|

Re: Limit downloading using the new queueing subsystem (OpenBSD 5.4-current)

Wesley MOUEDINE ASSABY
When i download a file using the host 192.168.1.1
and do at the same time :

# pfctl -vvs queue

queue restriction on axe0 bandwidth 800K qlimit 50
   [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:    
  0 ]
   [ qlength:   0/ 50 ]
   [ measured:     0.0 packets/s, 0 b/s ]
queue employee parent restriction on axe0 bandwidth 10K qlimit 50
   [ pkts:      21119  bytes:   30624777  dropped pkts:      0 bytes:    
  0 ]
   [ qlength:   0/ 50 ]
   [ measured:   115.8 packets/s, 1.35Mb/s ]
queue network parent restriction on axe0 bandwidth 790K default qlimit
50
   [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:    
  0 ]
   [ qlength:   0/ 50 ]
   [ measured:     0.0 packets/s, 0 b/s ]





Le 2013-10-15 15:37, Wesley MOUEDINE ASSABY a écrit :

> Hi,
>
> I built this small network:
>
> 192.168.1.0/29----axe0-obsd54-re0---WAN
>
> I want to limit a host (192.168.1.1/29) to download at 10KBps.
> The pf ruleset is loaded. I can see the queue "employee" used
> but download is still high, not limited at 10 KBps.
>
> # pfctl -vvs queue
>
>  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:  
>  0 ]
>  [ qlength:   0/ 50 ]
> queue restriction on axe0 bandwidth 800K qlimit 50
>  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:  
>  0 ]
>  [ qlength:   0/ 50 ]
> queue employee parent restriction on axe0 bandwidth 10K qlimit 50
>  [ pkts:       1744  bytes:    2496373  dropped pkts:      0 bytes:  
>  0 ]
>  [ qlength:   0/ 50 ]
> queue network parent restriction on axe0 bandwidth 790K default
> qlimit 50
>  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:  
>  0 ]
>  [ qlength:   0/ 50 ]
>
> Is there someone to help me on ?
>
> For more informations, see below :
>
> # uname -a
>
> OpenBSD testing.pf.queue 5.4 GENERIC.MP#80 i386
>
> # cat /etc/pf.conf
>
> employee="192.168.1.1"
>
> set skip on lo
>
> match out on egress inet from lan:network to any nat-to egress
> match in all scrub (no-df max-mss 1440)
>
> queue restriction on axe0 bandwidth 800K
> queue employee parent restriction bandwidth 10K
> queue network parent restriction bandwidth 790K default
>
> block all
>
> pass out on egress
> pass in on egress inet proto tcp from egress:network to any port ssh
>
> pass in log quick on lan from $employee set queue employee
> pass in on lan
>
>
> # ifconfig
>
> lo0: flags=8049 mtu 33192
>        priority: 0
>        groups: lo
>        inet6 ::1 prefixlen 128
>        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
>        inet 127.0.0.1 netmask 0xff000000
> re0: flags=8843 mtu 1500
>        lladdr 00:1e:33:25:a5:33
>        priority: 0
>        groups: egress
>        media: Ethernet autoselect (1000baseT
> full-duplex,rxpause,txpause)
>        status: active
>        inet6 fe80::21e:33ff:fe25:a533%re0 prefixlen 64 scopeid 0x2
>        inet 192.168.0.19 netmask 0xffffffe0 broadcast 192.168.0.31
> enc0: flags=0<>
>        priority: 0
>        groups: enc
>        status: active
> axe0: flags=8843 mtu 1500
>        lladdr 00:50:b6:0b:e2:7d
>        priority: 0
>        groups: lan
>        media: Ethernet autoselect (100baseTX full-duplex)
>        status: active
>        inet 192.168.1.4 netmask 0xfffffff8 broadcast 192.168.1.7
>        inet6 fe80::250:b6ff:fe0b:e27d%axe0 prefixlen 64 scopeid 0x5
> pflog0: flags=141 mtu 33192
>        priority: 0
>        groups: pflog
>
> Thank you very much for your precious help!
>
> Regards,
>
> Wesley

Reply | Threaded
Open this post in threaded view
|

Re: Limit downloading using the new queueing subsystem (OpenBSD 5.4-current)

Norman Golisz-3
On Tue Oct 15 2013 15:48, Wesley MOUEDINE ASSABY wrote:

> When i download a file using the host 192.168.1.1
> and do at the same time :
>
> # pfctl -vvs queue
>
> queue restriction on axe0 bandwidth 800K qlimit 50
>   [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:
> 0 ]
>   [ qlength:   0/ 50 ]
>   [ measured:     0.0 packets/s, 0 b/s ]
> queue employee parent restriction on axe0 bandwidth 10K qlimit 50
>   [ pkts:      21119  bytes:   30624777  dropped pkts:      0 bytes:
> 0 ]
>   [ qlength:   0/ 50 ]
>   [ measured:   115.8 packets/s, 1.35Mb/s ]

yap, bandwidth restrictions apply on upload, only. So, you're
effectively using 10K for TCP ACK packets.

Reply | Threaded
Open this post in threaded view
|

Re: Limit downloading using the new queueing subsystem (OpenBSD 5.4-current)

Norman Golisz-3
On Tue Oct 15 2013 14:08, Norman Golisz wrote:

> On Tue Oct 15 2013 15:48, Wesley MOUEDINE ASSABY wrote:
> > When i download a file using the host 192.168.1.1
> > and do at the same time :
> >
> > # pfctl -vvs queue
> >
> > queue restriction on axe0 bandwidth 800K qlimit 50
> >   [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:
> > 0 ]
> >   [ qlength:   0/ 50 ]
> >   [ measured:     0.0 packets/s, 0 b/s ]
> > queue employee parent restriction on axe0 bandwidth 10K qlimit 50
> >   [ pkts:      21119  bytes:   30624777  dropped pkts:      0 bytes:
> > 0 ]
> >   [ qlength:   0/ 50 ]
> >   [ measured:   115.8 packets/s, 1.35Mb/s ]
>
> yap, bandwidth restrictions apply on upload, only. So, you're
> effectively using 10K for TCP ACK packets.
 
you might want to restrict bandwidth on the LAN interface, though. You'd
configure the queues as above on the LAN interface and apply packets
going "out"/upload.

Reply | Threaded
Open this post in threaded view
|

Re: Limit downloading using the new queueing subsystem (OpenBSD 5.4-current)

Wesley MOUEDINE ASSABY
Le 2013-10-15 16:18, Norman Golisz a écrit :

> On Tue Oct 15 2013 14:08, Norman Golisz wrote:
>> On Tue Oct 15 2013 15:48, Wesley MOUEDINE ASSABY wrote:
>> > When i download a file using the host 192.168.1.1
>> > and do at the same time :
>> >
>> > # pfctl -vvs queue
>> >
>> > queue restriction on axe0 bandwidth 800K qlimit 50
>> >   [ pkts:          0  bytes:          0  dropped pkts:      0
>> bytes:
>> > 0 ]
>> >   [ qlength:   0/ 50 ]
>> >   [ measured:     0.0 packets/s, 0 b/s ]
>> > queue employee parent restriction on axe0 bandwidth 10K qlimit 50
>> >   [ pkts:      21119  bytes:   30624777  dropped pkts:      0
>> bytes:
>> > 0 ]
>> >   [ qlength:   0/ 50 ]
>> >   [ measured:   115.8 packets/s, 1.35Mb/s ]
>>
>> yap, bandwidth restrictions apply on upload, only. So, you're
>> effectively using 10K for TCP ACK packets.
>
> you might want to restrict bandwidth on the LAN interface, though.
> You'd
> configure the queues as above on the LAN interface and apply packets
> going "out"/upload.

Actually, queue is defined on axe0 ("IN"); it is the lan interface.
It doesn't work (downloading limited).

I already tried this:
block all
pass in log quick on lan from $employee set queue employee tag policy1
pass in on lan
pass log quick tagged policy1
pass out on egress
# Downloading still not limited.

Any idea ?

--
Wesley

Reply | Threaded
Open this post in threaded view
|

Re: Limit downloading using the new queueing subsystem (OpenBSD 5.4-current)

Andy Lemin
Only scanned your email but try removing the IN.

The rule I always remember is; When the SYN packet ingresses the interface
state will be created with the queue tag if a rule matches and states to do
so, as subsequent packets egress an interface if their is a matching state
with a queue name which matches one of the queues on that interface the
queue will be used.

So you look ok to me. Try adding the 'upperlimit' property to your hfsc
properties.
 
NB; I haven't tested Hennings new queuing subsystem yet so just guessing.

Cheers, Andy.


On Tue, 15 Oct 2013 16:32:16 +0400, Wesley MOUEDINE ASSABY
<[hidden email]> wrote:

> Le 2013-10-15 16:18, Norman Golisz a écrit :
>> On Tue Oct 15 2013 14:08, Norman Golisz wrote:
>>> On Tue Oct 15 2013 15:48, Wesley MOUEDINE ASSABY wrote:
>>> > When i download a file using the host 192.168.1.1
>>> > and do at the same time :
>>> >
>>> > # pfctl -vvs queue
>>> >
>>> > queue restriction on axe0 bandwidth 800K qlimit 50
>>> >   [ pkts:          0  bytes:          0  dropped pkts:      0
>>> bytes:
>>> > 0 ]
>>> >   [ qlength:   0/ 50 ]
>>> >   [ measured:     0.0 packets/s, 0 b/s ]
>>> > queue employee parent restriction on axe0 bandwidth 10K qlimit 50
>>> >   [ pkts:      21119  bytes:   30624777  dropped pkts:      0
>>> bytes:
>>> > 0 ]
>>> >   [ qlength:   0/ 50 ]
>>> >   [ measured:   115.8 packets/s, 1.35Mb/s ]
>>>
>>> yap, bandwidth restrictions apply on upload, only. So, you're
>>> effectively using 10K for TCP ACK packets.
>>
>> you might want to restrict bandwidth on the LAN interface, though.
>> You'd
>> configure the queues as above on the LAN interface and apply packets
>> going "out"/upload.
>
> Actually, queue is defined on axe0 ("IN"); it is the lan interface.
> It doesn't work (downloading limited).
>
> I already tried this:
> block all
> pass in log quick on lan from $employee set queue employee tag policy1
> pass in on lan
> pass log quick tagged policy1
> pass out on egress
> # Downloading still not limited.
>
> Any idea ?
>
> --
> Wesley

Reply | Threaded
Open this post in threaded view
|

Re: Limit downloading using the new queueing subsystem (OpenBSD 5.4-current)

Norman Golisz-3
In reply to this post by Wesley MOUEDINE ASSABY
On Tue Oct 15 2013 16:32, Wesley MOUEDINE ASSABY wrote:

> Le 2013-10-15 16:18, Norman Golisz a écrit :
> >On Tue Oct 15 2013 14:08, Norman Golisz wrote:
> >>On Tue Oct 15 2013 15:48, Wesley MOUEDINE ASSABY wrote:
> >>> When i download a file using the host 192.168.1.1
> >>> and do at the same time :
> >>>
> >>> # pfctl -vvs queue
> >>>
> >>> queue restriction on axe0 bandwidth 800K qlimit 50
> >>>   [ pkts:          0  bytes:          0  dropped pkts:      0
> >>bytes:
> >>> 0 ]
> >>>   [ qlength:   0/ 50 ]
> >>>   [ measured:     0.0 packets/s, 0 b/s ]
> >>> queue employee parent restriction on axe0 bandwidth 10K qlimit 50
> >>>   [ pkts:      21119  bytes:   30624777  dropped pkts:      0
> >>bytes:
> >>> 0 ]
> >>>   [ qlength:   0/ 50 ]
> >>>   [ measured:   115.8 packets/s, 1.35Mb/s ]
> >>
> >>yap, bandwidth restrictions apply on upload, only. So, you're
> >>effectively using 10K for TCP ACK packets.
> >
> >you might want to restrict bandwidth on the LAN interface, though.
> >You'd
> >configure the queues as above on the LAN interface and apply packets
> >going "out"/upload.
>
> Actually, queue is defined on axe0 ("IN"); it is the lan interface.
> It doesn't work (downloading limited).
>
> I already tried this:
> block all
> pass in log quick on lan from $employee set queue employee tag policy1
> pass in on lan
> pass log quick tagged policy1
> pass out on egress
> # Downloading still not limited.
>
> Any idea ?

Yes, I remember you need to explicitly set a "maximum" bandwidth to the
queue definition:

queue employee parent restriction bandwidth 10K max 10K

Does this work for you?

Reply | Threaded
Open this post in threaded view
|

Re: Limit downloading using the new queueing subsystem (OpenBSD 5.4-current)

Wesley MOUEDINE ASSABY
Le 2013-10-15 20:48, Norman Golisz a écrit :
> Yes, I remember you need to explicitly set a "maximum" bandwidth to
> the
> queue definition:
>
> queue employee parent restriction bandwidth 10K max 10K
>
> Does this work for you?

Yes, i just added max keyword.
Therefore i meet a problem :

queue restriction on axe0 bandwidth 10M
queue employee parent restriction bandwidth 1M max 2M
queue network parent restriction bandwidth 9M default

If i download a file, download turn around 3,5 KB/s
and just after 0/0KB/s ; impossible to download it

If i remove the max, it downloads the file with the high bandwidth.

Any idea ?
Thank you very much.

==wma

Reply | Threaded
Open this post in threaded view
|

Re: Limit downloading using the new queueing subsystem (OpenBSD 5.4-current)

moelz94
This post has NOT been accepted by the mailing list yet.
Wesley MOUEDINE ASSABY wrote
Le 2013-10-15 20:48, Norman Golisz a écrit :
> Yes, I remember you need to explicitly set a "maximum" bandwidth to
> the
> queue definition:
>
> queue employee parent restriction bandwidth 10K max 10K
>
> Does this work for you?

Yes, i just added max keyword.
Therefore i meet a problem :

queue restriction on axe0 bandwidth 10M
queue employee parent restriction bandwidth 1M max 2M
queue network parent restriction bandwidth 9M default

If i download a file, download turn around 3,5 KB/s
and just after 0/0KB/s ; impossible to download it

If i remove the max, it downloads the file with the high bandwidth.

Any idea ?
Thank you very much.

==wma
i have same problem when i use openbsd 5.4-current snapshot 15 Oktober 2013.
i upgrade to openbsd 5.4-current snapshot 3 November 2013 and normal.

regards,

Mulyadi