While upgrading our NAT from version 3.3 we went through and inspected all of the rules we had set in PF. In doing so we saw some amusing rules allowing redirects to machines no longer on our network. We also put a bit more thought into the packet prioritization (ALTQ PRIQ) that I had looked into around 28 Apr 2004 (see my original post). We fixed a few settings in the queue definitions, and made sure that all of the queue rules were set on outbound traffic, since we can't control inbound. (Though, I think that since I had keep state marked on the rules, anyone contacting me for bittorrent had their responses go through the old torrent queue).
# pfctl -s queue queue peer priority 0 -- Peer-to-Peer traffic, as best as we can classify queue dflt priority 2 priq( default ) -- All hail the unclassified traffic queue xfer priority 4 -- HTTP, FTP command, SCP, SFTP queue mail priority 6 -- SMTP, IMAPS queue im priority 8 -- AIM queue terminal priority 10 -- SSH queue dns priority 12 -- DNS queue ack_out priority 15 -- ACK packets
After a little over a full day of being running, confidence is high that all of the rules are functional:
# pfctl -v -s queue queue peer priority 0 [ pkts: 55499 bytes: 30925893 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue dflt priority 2 priq( default ) [ pkts: 29112 bytes: 3190539 dropped pkts: 100 bytes: 14392 ] [ qlength: 0/ 50 ] queue xfer priority 4 qlimit 150 [ pkts: 344630 bytes: 24840640 dropped pkts: 0 bytes: 0 ] [ qlength: 0/150 ] queue mail priority 6 [ pkts: 88 bytes: 16783 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue im priority 8 [ pkts: 21001 bytes: 1352998 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue terminal priority 10 [ pkts: 1032 bytes: 90336 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue dns priority 12 [ pkts: 3257 bytes: 269319 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ] queue ack_out priority 15 [ pkts: 77485 bytes: 5302138 dropped pkts: 0 bytes: 0 ] [ qlength: 0/ 50 ]
Hmm, looking now I realize that maybe we should have upped the queue length on the dflt queue as well; and while I'm in there mucking around with it again, perhaps I should up the priority of ICMP packets (per the suggestion of loganb back in April).
It would be really nice if pfstat could do queue-based graphs; or if I had the time to write the patch for it (or the alternative program).