Xyon (xyon) wrote,
Xyon
xyon

The OpenBSD Upgrade

OpenBSD version 3.6 was released to the FTP mirrors this weekend (official release date is tomorrow, 1 Nov 2004).


While upgrading our NAT from version 3.3 we went through and inspected all of the rules we had set in PF. In doing so we saw some amusing rules allowing redirects to machines no longer on our network. We also put a bit more thought into the packet prioritization (ALTQ PRIQ) that I had looked into around 28 Apr 2004 (see my original post). We fixed a few settings in the queue definitions, and made sure that all of the queue rules were set on outbound traffic, since we can't control inbound. (Though, I think that since I had keep state marked on the rules, anyone contacting me for bittorrent had their responses go through the old torrent queue).

# pfctl -s queue    
queue peer priority 0  -- Peer-to-Peer traffic, as best as we can classify
queue dflt priority 2 priq( default ) -- All hail the unclassified traffic
queue xfer priority 4 -- HTTP, FTP command, SCP, SFTP
queue mail priority 6 -- SMTP, IMAPS
queue im priority 8 -- AIM
queue terminal priority 10 -- SSH 
queue dns priority 12 -- DNS
queue ack_out priority 15 -- ACK packets


After a little over a full day of being running, confidence is high that all of the rules are functional:
# pfctl -v -s queue 
queue peer priority 0 
  [ pkts:      55499  bytes:   30925893  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue dflt priority 2 priq( default ) 
  [ pkts:      29112  bytes:    3190539  dropped pkts:    100 bytes:  14392 ]
  [ qlength:   0/ 50 ]
queue xfer priority 4 qlimit 150 
  [ pkts:     344630  bytes:   24840640  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/150 ]
queue mail priority 6 
  [ pkts:         88  bytes:      16783  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue im priority 8 
  [ pkts:      21001  bytes:    1352998  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue terminal priority 10 
  [ pkts:       1032  bytes:      90336  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue dns priority 12 
  [ pkts:       3257  bytes:     269319  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]
queue ack_out priority 15 
  [ pkts:      77485  bytes:    5302138  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50 ]


Hmm, looking now I realize that maybe we should have upped the queue length on the dflt queue as well; and while I'm in there mucking around with it again, perhaps I should up the priority of ICMP packets (per the suggestion of loganb back in April).

It would be really nice if pfstat could do queue-based graphs; or if I had the time to write the patch for it (or the alternative program).
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 0 comments