OpenBSD3.8下的流量控制问题

mouseshow

我的pf.conf角本

ext_if="fxp0"
int_if="vr0"
my="192.168.0.1"

#table <spamd> persist
#table <spamd-white> persist

altq on $int_if cbq bandwidth 100Mb queue { std, ftp, ssh }
queue std bandwidth 90Mb cbq(default)
#queue tcp_ack priority 7
queue ftp bandwidth 1Mb priority 3
queue ssh bandwidth 9Mb cbq(borrow)

#set optimization aggressive
#scrub in on $ext_if

binat on $ext_if from $my to any -> 10.101.200.33
nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#rdr pass on $ext_if proto tcp from <spamd> to port smtp \
#       -> 127.0.0.1 port spamd
#rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \
#       -> 127.0.0.1 port spamd

set skip on lo
pass on $ext_if all keep state

pass out on $int_if keep state
pass in on $int_if from any to any keep state flags S/SA queue std
pass in on $int_if proto tcp from any to any port 21 queue ftp
pass in on $int_if proto tcp from any to any port 22 queue ssh

=====================================================
我从ftp上下载一个5M大小的文件作为测试,但ftp和ssh似乎都未能成功限速
pfctl -v -sa |more

FILTER RULES:
pass on fxp0 all keep state
  [ Evaluations: 163       Packets: 7179      Bytes: 6341386     States: 30    ]
  [ Inserted: uid 0 pid 18702 ]
pass out on vr0 all keep state
  [ Evaluations: 163       Packets: 134       Bytes: 7305        States: 21    ]
  [ Inserted: uid 0 pid 18702 ]
pass in on vr0 all flags S/SA keep state queue std
  [ Evaluations: 77        Packets: 7025      Bytes: 6332705     States: 3     ]
  [ Inserted: uid 0 pid 18702 ]
pass in on vr0 proto tcp from any to any port = ftp queue ftp
  [ Evaluations: 33        Packets: 1         Bytes: 48          States: 0     ]
  [ Inserted: uid 0 pid 18702 ]
pass in on vr0 proto tcp from any to any port = ssh queue ssh
  [ Evaluations: 31        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 18702 ]


ALTQ:
queue root_vr0 bandwidth 100Mb priority 0 cbq( wrr root ) {std, ftp, ssh}
  [ pkts:      34441  bytes:    7897576  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  std bandwidth 90Mb cbq( default )
  [ pkts:      34441  bytes:    7897576  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  ftp bandwidth 1Mb priority 3
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
queue  ssh bandwidth 9Mb cbq( borrow )
  [ pkts:          0  bytes:          0  dropped pkts:      0 bytes:      0 ]
  [ qlength:   0/ 50  borrows:      0  suspends:      0 ]
====================================================
请问各位有经验的达人们,我的pf.conf角本到底有什么错误呀

还有,如果我使用scrub in语句,就会在加载角本的时候报出错信息,我记得3.8以前的版本都不会这样的
# pfctl -f pf.conf.tes     t                                                                                                               
pf.conf.test:21: Rules must be in order: options, normalization, queueing, translation, filtering
pfctl: Syntax error in config file: pf rules not loaded

剑心通明

Rules must be in order: options, normalization, queueing, translation, filtering

注意顺序

mouseshow

啊哈,scrub in的问题解决了,谢谢帮忙,另外那个问题也请多多帮忙,我试了一上午了,还是没有成功

rainren

使用连接数进行限， max-src-state等, 对bt 等多连接有特效， 对ssh， ftp这种单连接的可能失效。

对std的队列的端口中去掉ftp, ssh， 因为执行了这条规则后面的ftp, ssh这两条规则不会执行。

1.   
   
2. pass in on $int_if from any to any port $other-ports keep state flags S/SA queue std
   

复制代码

[ 本帖最后由 rainren 于 2006-2-22 19:38 编辑 ]

rainren

这是我们常犯的一个错误， 我也是前些时候在使用一个脚本封IP时看出来的！