PF queueing confusion

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

PF queueing confusion

Gabriele Tozzi
Hello there,

I have noticed some weirdness when using "pfctl -s queue -v" so I have
decided to investigate.

I have a quite simple pf setup: I have defined 3 queues for my external
interface in my pf.conf:

queue ext on $Ext bandwidth 900K
queue  normal parent ext bandwidth 386K, max 850K qlimit 10 default
queue  high parent ext bandwidth 193K qlimit 10
queue  low parent ext bandwidth 193K, max 540Kb qlimit 10

I have noticed that the "high" queue got the wide majority of traffic,
so I have removed all the rules referencing it from pf.conf and,
surprisingly, this is the result after reloading the ruleset:

# pfctl -s queue -v
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:
 0 ]
  [ qlength:   0/ 50 ]
queue ext on pppoe0 bandwidth 900K qlimit 50
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:
 0 ]
  [ qlength:   0/ 50 ]
queue normal parent ext bandwidth 386K, max 850K default qlimit 10
  [ pkts:       1555  bytes:     130921  dropped pkts:      0 bytes:
 0 ]
  [ qlength:   0/ 10 ]
queue high parent ext bandwidth 193K qlimit 10
  [ pkts:      19303  bytes:   28319771  dropped pkts:    179 bytes:
255401 ]
  [ qlength:   0/ 10 ]
queue low parent ext bandwidth 193K, max 540K qlimit 10
  [ pkts:       4863  bytes:    4044635  dropped pkts:    487 bytes:
176124 ]

Still a lot of data is sent through the "high" queue, even if no rules
in pf.conf is referencing it. As a counter-proof, I can remove the queue
creation line from pf.conf and reload the ruleset without triggering any
error, so the queue is definitely not referenced.

What could be wrong?

Thank You

--
GPG Key Fingerprint:
DAD1 E3E3 C3E9 36FB C570 F405 9B5F 7108 A1D0 2FFF

Reply | Threaded
Open this post in threaded view
|

Re: PF queueing confusion

Daniel Melameth
On Wed, May 10, 2017 at 4:47 AM, Gabriele Tozzi <[hidden email]> wrote:

> I have a quite simple pf setup: I have defined 3 queues for my external
> interface in my pf.conf:
>
> queue ext on $Ext bandwidth 900K
> queue  normal parent ext bandwidth 386K, max 850K qlimit 10 default
> queue  high parent ext bandwidth 193K qlimit 10
> queue  low parent ext bandwidth 193K, max 540Kb qlimit 10
>
> I have noticed that the "high" queue got the wide majority of traffic,
> so I have removed all the rules referencing it from pf.conf and,
> surprisingly, this is the result after reloading the ruleset:
>
> # pfctl -s queue -v
>   [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:
>  0 ]
>   [ qlength:   0/ 50 ]
> queue ext on pppoe0 bandwidth 900K qlimit 50
>   [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:
>  0 ]
>   [ qlength:   0/ 50 ]
> queue normal parent ext bandwidth 386K, max 850K default qlimit 10
>   [ pkts:       1555  bytes:     130921  dropped pkts:      0 bytes:
>  0 ]
>   [ qlength:   0/ 10 ]
> queue high parent ext bandwidth 193K qlimit 10
>   [ pkts:      19303  bytes:   28319771  dropped pkts:    179 bytes:
> 255401 ]
>   [ qlength:   0/ 10 ]
> queue low parent ext bandwidth 193K, max 540K qlimit 10
>   [ pkts:       4863  bytes:    4044635  dropped pkts:    487 bytes:
> 176124 ]
>
> Still a lot of data is sent through the "high" queue, even if no rules
> in pf.conf is referencing it. As a counter-proof, I can remove the queue
> creation line from pf.conf and reload the ruleset without triggering any
> error, so the queue is definitely not referenced.
>
> What could be wrong?

You'll have to post your pf.conf.

Reply | Threaded
Open this post in threaded view
|

Re: PF queueing confusion

Gabriele Tozzi

Il 10/05/2017 14:45, Daniel Melameth ha scritto:
>> queue ext on $Ext bandwidth 900K
>> queue  normal parent ext bandwidth 386K, max 850K qlimit 10 default
>> queue  high parent ext bandwidth 193K qlimit 10
>> queue  low parent ext bandwidth 193K, max 540Kb qlimit 10
>
> You'll have to post your pf.conf.

The whole pf.conf is very long but I have checked multiple times and
there is no rule with the "set queue high" or "set queue ( *, high )"
syntax.

Reply | Threaded
Open this post in threaded view
|

Re: PF queueing confusion

Luis Coronado-3
but perhaps someone else would be able to see something that you didn't,
hence the requirement to share the file.

-luis


On Wed, May 10, 2017 at 12:50 PM, Gabriele Tozzi <[hidden email]> wrote:

>
> Il 10/05/2017 14:45, Daniel Melameth ha scritto:
> >> queue ext on $Ext bandwidth 900K
> >> queue  normal parent ext bandwidth 386K, max 850K qlimit 10 default
> >> queue  high parent ext bandwidth 193K qlimit 10
> >> queue  low parent ext bandwidth 193K, max 540Kb qlimit 10
> >
> > You'll have to post your pf.conf.
>
> The whole pf.conf is very long but I have checked multiple times and
> there is no rule with the "set queue high" or "set queue ( *, high )"
> syntax.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: PF queueing confusion

Gabriele Tozzi

Il 10/05/2017 20:56, Luis Coronado ha scritto:
> but perhaps someone else would be able to see something that you didn't,
> hence the requirement to share the file.

I understand, but it contains sensitive information that I prefer not to
share. If you could tell me what to look for, I will look for it.

I have also checked "pfctl -s rules | grep high" and it returns no data.
To the best of my knowledge, this confirms that there is no pf rule
explicitly sending packets to the "high" queue... but lots of packets
are queued there anyway, so I am supposing there should be some other
queueing mechanism that I do not know of.

Apart from using the "set queue" directive in pf.conf, what could cause
this behaviour?

Reply | Threaded
Open this post in threaded view
|

Re: PF queueing confusion

Gabriele Tozzi
In reply to this post by Gabriele Tozzi

Looks like I've solved by only renaming the queues.

Instead of naming them "high", "normal" and "low", I have now named them
"exthi", "extstd" and "extlo" and then everything seems to work as expended.

Maybe "high" is a (maybe undocumented) reserved queue name?

Reply | Threaded
Open this post in threaded view
|

Re: PF queueing confusion

Erling Westenvik-2
On Thu, May 11, 2017 at 12:09:26AM +0200, Gabriele Tozzi wrote:
>
> Looks like I've solved by only renaming the queues.
>
> Instead of naming them "high", "normal" and "low", I have now named them
> "exthi", "extstd" and "extlo" and then everything seems to work as expended.
>
> Maybe "high" is a (maybe undocumented) reserved queue name?

Check out pfctl(8) and the -F option. The issue might be resolvable
simply by flushing one or more of the filter parameters you'll find
there.  (Beware though - you may get kicked out of the server when
flushing states if you're connecting via ssh, and may have to log back
in. tmux(1) is your friend!)

--
Erling Westenvik

Reply | Threaded
Open this post in threaded view
|

Re: PF queueing confusion

Gabriele Tozzi

Il 11/05/2017 01:42, Erling Westenvik ha scritto:
> Check out pfctl(8) and the -F option. The issue might be resolvable
> simply by flushing one or more of the filter parameters you'll find
> there.

I had always assumed that loading a new ruleset with pfctl -f also
implied "-F all".

This explains a lot :)

Thank you