Better explain, then actually implement the IPFW ALTQ-rule first-match

policy. It may be used to provide more detailed classification of traffic without actually having to decide its fate at the time of classification. MFC after: 1 week
svn path=/head/; revision=146962
2005-06-04 19:04:31 +00:00 · 2005-06-04 19:04:31 +00:00 · 5278d40bcc · 2020-12-20 02:59:44 +00:00
commit 5278d40bcc
parent e8b2943fab
2 changed files with 16 additions and 2 deletions
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@ -565,7 +565,18 @@ processed, it will not be tagged, so it is wise to make your ALTQ
 "default" queue policy account for this.
 If multiple
 .Cm altq
-rules match a single packet, subsequent tags are ignored by ALTQ.
+rules match a single packet, only the first one adds the ALTQ classification
+tag.
+In doing so, traffic may be shaped by using
+.Cm count Cm altq Ar queue
+rules for classification early in the ruleset, then later applying
+the filtering decision.
+For example,
+.Cm check-state
+and
+.Cm keep-state
+rules may come later and provide the actual filtering decisions in
+addition to the fallback ALTQ tag.
 .Pp
 You must run
 .Xr pfctl 8
@ -573,7 +584,7 @@ to set up the queues before IPFW will be able to look them up by name,
 and if the ALTQ disciplines are rearranged, the rules in containing the
 queue identifiers in the kernel will likely have gone stale and need
 to be reloaded.
-Stale queue identifiers will probably misclassify
+Stale queue identifiers will probably result in misclassification.
 .Pp
 All system ALTQ processing can be turned on or off via
 .Nm
--- a/sys/netinet/ip_fw2.c
+++ b/sys/netinet/ip_fw2.c
@ -2551,6 +2551,9 @@ do {									\
 				ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd;

 				match = 1;
+				mtag = m_tag_find(m, PACKET_TAG_PF_QID, NULL);
+				if (mtag != NULL)
+					break;
 				mtag = m_tag_get(PACKET_TAG_PF_QID,
 						sizeof(struct altq_tag),
 						M_NOWAIT);