pf - queue filter directive sticky?

Discussion:

(private) HKS

2008-09-29 19:29:08 UTC

If the following two rules apply to a given packet in the order shown,
will the packet be queued?

pass in on $int_if from 10.0.0.1 queue tens
pass in on $int_if

I've not been able to find a clear answer in pf.conf(5) or the online
PF documentation. If I overlooked it, please let me know. Thanks in
advance for the help.

-HKS

u***@o3si.de

2008-09-30 08:53:05 UTC

Permalink

Am Mon, 29 Sep 2008 15:29:08 -0400

Post by (private) HKS
If the following two rules apply to a given packet in the order shown,
will the packet be queued?
pass in on $int_if from 10.0.0.1 queue tens
pass in on $int_if
I've not been able to find a clear answer in pf.conf(5) or the online
PF documentation. If I overlooked it, please let me know. Thanks in
advance for the help.
-HKS

imho normally this packet wouldn't be queued because the last count
matches the packet so the last rule applies:

from man pf.conf:

"For each packet processed by the packet filter, the filter rules
are evaluated in sequential order, from first to last. The last
matching rule decides what action is taken. If no rule matches the
packet, the default action is to pass the packet."

uw

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Uwe Werler

2008-09-30 09:05:34 UTC

Permalink

Am Tue, 30 Sep 2008 10:53:05 +0200

Post by u***@o3si.de
Am Mon, 29 Sep 2008 15:29:08 -0400

Post by (private) HKS
If the following two rules apply to a given packet in the order
shown, will the packet be queued?
pass in on $int_if from 10.0.0.1 queue tens
pass in on $int_if
I've not been able to find a clear answer in pf.conf(5) or the
online PF documentation. If I overlooked it, please let me know.
Thanks in advance for the help.
-HKS

imho normally this packet wouldn't be queued because the last count
"For each packet processed by the packet filter, the filter rules
are evaluated in sequential order, from first to last. The last
matching rule decides what action is taken. If no rule matches the
packet, the default action is to pass the packet."
uw
[demime 1.01d removed an attachment of type application/pgp-signature
which had a name of signature.asc]

on the other hand:

"During the filtering component of pf.conf, the last referenced
queue name is where any packets from pass rules will be queued..."

that means because of the sequential order that the packet should be
queued imho.

(private) HKS

2008-09-30 17:28:32 UTC

Permalink

Post by Uwe Werler

Post by u***@o3si.de
imho normally this packet wouldn't be queued because the last count

This is what I assumed at first, but the stickiness of tags and the
(seeming) logic of doing the same with queues made me second-guess
myself.

Post by Uwe Werler
"During the filtering component of pf.conf, the last referenced
queue name is where any packets from pass rules will be queued..."
that means because of the sequential order that the packet should be
queued imho.

Is that the case, or does that mean that packets passed by a statement
on an altq-enabled interface without an explicit "queue <name>"
directive are automatically assigned to the last defined queue?

My initial tests suggest that the queue statements are not sticky (ie,
my initial rules would not have queued it in the "tens" queue), but
I'm still not sure.

-HKS

Giancarlo Razzolini

2008-09-30 20:05:25 UTC

Permalink

Post by (private) HKS

Post by Uwe Werler

Post by u***@o3si.de
imho normally this packet wouldn't be queued because the last count

This is what I assumed at first, but the stickiness of tags and the
(seeming) logic of doing the same with queues made me second-guess
myself.

Is that the case, or does that mean that packets passed by a statement
on an altq-enabled interface without an explicit "queue <name>"
directive are automatically assigned to the last defined queue?
My initial tests suggest that the queue statements are not sticky (ie,
my initial rules would not have queued it in the "tens" queue), but
I'm still not sure.
-HKS

from pf.conf man page:

default Packets not matched by another queue are assigned to this
one. Exactly one default queue is *required.*
--
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD Stable
Ubuntu 8.04 Hardy Heron
4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85

(private) HKS

2008-09-30 20:22:44 UTC

Permalink

Post by Giancarlo Razzolini
default Packets not matched by another queue are assigned to this
one. Exactly one default queue is *required.*

Thanks, I overlooked that a default queue was required. With that in
mind, then, does this section of pf.conf(5) imply that the queue
directive is sticky?
"During the filtering component of pf.conf, the last referenced queue
name is where any packets from pass rules will be queued..."

Post by Giancarlo Razzolini
Why you just not use "quick" in the first rule?
pass in quick on $int_if from 10.0.0.1 queue tens
pass in on $int_if

This question is for clarity's sake: is the "quick" required?

-HKS

Henning Brauer

2008-10-01 13:43:15 UTC

Permalink

Post by (private) HKS
Thanks, I overlooked that a default queue was required. With that in
mind, then, does this section of pf.conf(5) imply that the queue
directive is sticky?

pf.conf doesn't say it would be sticky anywhere, and, surprise, it
isn't.

--
Henning Brauer, ***@bsws.de, ***@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Rosen Iliev

2008-09-30 18:25:34 UTC

Permalink

Why you just not use "quick" in the first rule?

pass in quick on $int_if from 10.0.0.1 queue tens
pass in on $int_if

Rosen