problems using HFSC with pf

Discussion:

S t i n g r a y

2006-10-12 15:59:47 UTC

i am facing problems using hfsc with PF.

pfctl -f /etc/pf.conf
pfctl: the sum of the child bandwidth higher than parent "root_fxp0"
pfctl: linkshare sc exceeds parent's sc
/etc/pf.conf:21: errors in queue definition
pfctl: Syntax error in config file: pf rules not loaded

althoug my pf.conf looks like this ..

intif="epic0"
intnet="10.0.0.0/16"
extif="fxp0"
extad="192.168.0.2"
intad="10.0.0.1"
chadd="10.0.0.1"
servers="10.0.0.2, 10.0.0.3, 10.0.0.4, 10.0.0.5, 10.0.0.6"
mailserver="10.0.0.2"
vip="10.0.4.8"
ports = "21 22 25 53 80 110 119 123 143 443 465 554 900 995 1755 1863 1999 3000
3020 2020 3389 5000 5001 5050 5100 5190 6667 11999"
allif="{$extif, intif}"
table <allowedclients> persist file "/etc/allowedclients"
table <blockedclients> persist file "/etc/blockedclients"
table <servers> persist file "/etc/servers"
scrub in all
altq on $extif hfsc bandwidth 512Kb queue { www, msn, https, smtp, def }
queue www bandwidth 20%
queue msn bandwidth 20%
queue https bandwidth 20%
queue smtp bandwidth 20%
queue def hfsc(default)
nat on $extif inet proto {icmp, tcp, udp } from <servers> to any -> $extad
nat on $extif inet proto {tcp, udp } from <allowedclients> to any port \
{ $ports } -> $extad
rdr on $intif proto tcp from <allowedclients> to any port 80 -> $chadd port 8080
rdr on $extif proto tcp from any to $extad port 110 -> $mailserver port 110
rdr on $extif proto tcp from any to $extad port 25 -> $mailserver port 25
rdr on $extif proto tcp from any to $extad port 4661 -> $vip port 4661
rdr on $extif proto udp from any to $extad port 4672 -> $vip port 4672
rdr on $extif proto tcp from any to $extad port 80 -> $mailserver port 80
rdr on $intif proto tcp from any to $intad port 80 -> $mailserver port 80
pass out on $extif inet proto { tcp, udp } from <allowedclients> to any port { $
ports }
pass out on $extif inet proto { tcp, udp } from $vip to any
pass in on extif proto tcp from <allowedclients> to any port msn queue msn
pass in on extif proto tcp from <allowedclients> to any port www queue https
pass in on extif proto tcp from <allowedclients> to any port www queue www
pass in on extif proto tcp from <allowedclients> to any port smtp queue smtp
pass out on extif inet proto udp from any to <allowedclients> port msn queue msn
pass out on extif inet proto udp from any to <allowedclients> port www queue \
https
pass out on extif inet proto udp from any to <allowedclients> port www queue www
pass out on extif inet proto udp from any to <allowedclients> port smtp queue \
smtp

do you see anything wrong with this ? is there a bug in this ?

regards

*:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$

Kian Mohageri

2006-10-12 18:17:32 UTC

Permalink

Post by S t i n g r a y
i am facing problems using hfsc with PF.

do you see anything wrong with this ? is there a bug in this ?

I don't mean to be rude but you *really* need to start learning how to look
into these things by yourself. It will help you out a lot in the long run.
People grow very tired of seeing people post their entire pf.conf time after
time with new problems and no indication that you've even tried googling the
error message from pfctl yourself.

Kian

Berk D. Demir

2006-10-12 18:34:12 UTC

Permalink

Post by S t i n g r a y
pfctl: the sum of the child bandwidth higher than parent "root_fxp0"
pfctl: linkshare sc exceeds parent's sc
[... cut ...]
altq on $extif hfsc bandwidth 512Kb queue { www, msn, https, smtp, def }
queue www bandwidth 20%
queue msn bandwidth 20%
queue https bandwidth 20%
queue smtp bandwidth 20%
queue def hfsc(default)

The problem is with the bandwidth of queue named "def"
Parser won't try to calculate the remaining bandwidth maybe as you guess.

You have four 20 percents and a remaining 20 percent to.
Please fix the last line of queues as
queue def bandwidth 20% hfsc(default)

HFSC is much more powerful than sharing like this. Have a look at
linkshare, realtime and upperlimit options. May be you can perfect your
bandwidth policy.

Jon Simola

2006-10-12 19:17:12 UTC

Permalink

Post by S t i n g r a y
i am facing problems using hfsc with PF.

That would be the first problem. Mention of HFSC was scrubbed from the
PF FAQ at http://www.openbsd.org/faq/pf/queueing.html for good reason.
Everything I learned about HFSC was from other web sites and lots of
experimentation. I have working configs, but in the time I've spent
figuring them out I've also figured out that HFSC is not a better
method of queueing. It solves a couple of *very* specific problems
that the vast majority of people will never run across.

Post by S t i n g r a y
pfctl -f /etc/pf.conf
pfctl: the sum of the child bandwidth higher than parent "root_fxp0"
pfctl: linkshare sc exceeds parent's sc
/etc/pf.conf:21: errors in queue definition
pfctl: Syntax error in config file: pf rules not loaded
althoug my pf.conf looks like this ..
altq on $extif hfsc bandwidth 512Kb queue { www, msn, https, smtp, def }
queue www bandwidth 20%
queue msn bandwidth 20%
queue https bandwidth 20%
queue smtp bandwidth 20%
queue def hfsc(default)

I can see a couple potential problems, your queues have no hfsc
definitions. Be careful with %'s in any bandwidth, as it may not be
taken as a percent of what you wanted (interface, root queue, parent
queue). I'd suggest using CBQ for this as you are defining 4 classes
of traffic. HFSC, if you get it working, will be far more complex than
you need for something simple like this.

--
Jon

ropers

2006-10-12 21:35:04 UTC

Permalink

Post by Jon Simola

Post by S t i n g r a y
i am facing problems using hfsc with PF.

Since I just found this: http://www.cs.cmu.edu/~hzhang/HFSC/main.html
(That's not to say that I'm "for" Hierarchical Fair Service Curve. I
don't know jack about it.)

S t i n g r a y

2006-10-13 01:11:15 UTC

Permalink

i am currently using CBQ but i wanted a feature like wanted to shif the que from high priority to lower after a spec period of time, as i have some dirty users which have nothing to do but download HTTP contents from internet.

*:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$

----- Original Message ----
From: Jon Simola <***@gmail.com>
To: S t i n g r a y <***@yahoo.com>
Cc: Open BSD <***@openbsd.org>
Sent: Friday, October 13, 2006 12:17:12 AM
Subject: Re: problems using HFSC with pf

Post by S t i n g r a y
i am facing problems using hfsc with PF.

--
Jon

S t i n g r a y

2006-10-13 01:00:07 UTC

Permalink

yes, but you have to understand my problem , i am very new to openbsd & PF and have no unix admins in surroundings, neither has any unix training places , all my learning comes from google & mailing lists such as this.
i do try googling before posting & only port if have have many doubts.
curreltly using CBQ technique.
trying to learn HPSC
hope you understand , will try not to post as much in the future.

*:$., 88,.$:*(((*$ Stingray *:$., 88,.$:*((*$

----- Original Message ----
From: Kian Mohageri <***@gmail.com>
To: S t i n g r a y <***@yahoo.com>
Cc: Open BSD <***@openbsd.org>
Sent: Thursday, October 12, 2006 11:17:32 PM
Subject: Re: problems using HFSC with pf

Post by S t i n g r a y
i am facing problems using hfsc with PF.