Re: altq filter acts before or after npf NAPT?

To: Rocky Hotas <rockyhotas%firemail.cc@localhost>, netbsd-users <netbsd-users%NetBSD.org@localhost>
Subject: Re: altq filter acts before or after npf NAPT?
From: BERTRAND Joël <joel.bertrand%systella.fr@localhost>
Date: Fri, 23 Oct 2020 15:47:34 +0200

Rocky Hotas a écrit :
> Hello!
> Consider a NetBSD 9.0 (release) system using both npf and altqd. This
> machine has two NICs and it is a gateway. First NIC is connected to a
> LAN, with multiple hosts, and second NIC is connected to the modem.
> With npf, the following is applied:
> 
> map $if_second_nic dynamic $internal_lan -> $second_nic_ipv4
> 
> This is a NAPT, so when a packet from a LAN host is outgoing from the
> second NIC, its source address is mapped into the second NIC's IP.
> 
> One of the few (or maybe the only) examples about altqd configuration
> is here:
> 
>  <https://wiki.netbsd.org/tutorials/altqd_traffic_shaping_example/>
> 
> It creates this filter:
> 
> filter bge0 high_class 0 0 0 0 17
> 
> where the third `0' means `any source IP address'. Assume that bge0 is
> the second NIC. This is for packets outgoing from it.
> 
> Does altqd act:
> 1) before
> or
> 2) after npf?
	Hello,

	If I remember, altq is applied after npf.
My /etc/altqd.conf contains :

legendre:[~] > cat /etc/altq.conf
#tbrconfig
interface wm0 bandwidth 8M priq

class priq wm0 high_class NULL priority 1
class priq wm0 low_class NULL priority 0 default

filter wm0 high_class 0 1194 0 0 17
filter wm0 high_class 0 0 0 1194 17
filter wm0 high_class 0 1195 0 0 17
filter wm0 high_class 0 0 0 10240 17
filter wm0 high_class 0 10000 0 0 17
filter wm0 high_class 0 0 0 10000 17

interface tap0 bandwidth 2M priq

class priq tap0 high_class_vpn NULL priority 1
class priq tap0 low_class_vpn NULL priority 0 default

interface tap1 bandwidth 2M priq

class priq tap1 high_class_vpn NULL priority 1
class priq tap1 low_class_vpn NULL priority 0 default

filter tap0 high_class_vpn 192.168.10.250 0 0 0 17
filter tap0 high_class_vpn 0 0 192.168.10.250 0 17
filter tap0 high_class_vpn 192.168.10.253 0 0 0 17
filter tap0 high_class_vpn 0 0 192.168.10.253 0 17

interface agr0 bandwidth 1000M priq

class priq agr0 high_class_lan NULL priority 1
class priq agr0 low_class_lan NULL priority 0 default

filter agr0 high_class_lan 192.168.10.250 0 0 0 17
filter agr0 high_class_lan 0 0 192.168.10.250 0 17
filter agr0 high_class_lan 192.168.10.253 0 0 0 17
filter agr0 high_class_lan 0 0 192.168.10.253 0 17
filter agr0 high_class_lan 0 10000 0 0 17
filter agr0 high_class_lan 0 0 0 10000 17

# QoS
conditioner agr0 af41_agr0 <mark 0xb8>
filter agr0 af41_agr0 0 10000 0 0 17
filter agr0 af41_agr0 0 0 0 10000 17
filter agr0 af41_agr0 0 0 192.168.10.250 0 17
filter agr0 af41_agr0 0 0 192.168.10.253 0 17

conditioner tap0 af41_tap0 <mark 0xb8>
filter tap0 af41_tap0 0 0 192.168.10.250 0 17
filter tap0 af41_tap0 0 0 192.168.10.253 0 17
filter tap0 af41_tap0 0 10000 0 0 17
filter tap0 af41_tap0 0 0 0 10000 17

conditioner tap1 af41_tap1 <mark 0xb8>
filter tap1 af41_tap1 0 0 192.168.10.250 0 17
filter tap1 af41_tap1 0 0 192.168.10.253 0 17
filter tap1 af41_tap1 0 10000 0 0 17
filter tap1 af41_tap1 0 0 0 10000 17
legendre:[~] >

and altqd runs as expected. Only a few bugs. Don't try to launch
/etc/rc.d/altqd reload, altqd will take 100% of a CPU. Don't try to stop
altqd, you will obtain a kernel panic.

	In my example :
- wm0 is WAN interface ;
- agr0 is LAN interface ;
- tap0 and tap1 are two interfaces of a bridge used for SIP and video
calls (jitsi).

	Best regards,

	JKB

Follow-Ups:
- Re: altq filter acts before or after npf NAPT?
  - From: Rocky Hotas
- Re: altq filter acts before or after npf NAPT?
  - From: Rocky Hotas

References:
- altq filter acts before or after npf NAPT?
  - From: Rocky Hotas

Prev by Date: Xen Hypervisor and NetBSD.
Next by Date: Re: Use of disklabel, MBR and GPT
Previous by Thread: Re: altq filter acts before or after npf NAPT?
Next by Thread: Re: altq filter acts before or after npf NAPT?
Indexes:

Home | Main Index | Thread Index | Old Index