From 5278d40bcc1cf1f69254d3e5959b3f35bdc36ae3 Mon Sep 17 00:00:00 2001 From: Brian Feldman Date: Sat, 4 Jun 2005 19:04:31 +0000 Subject: [PATCH] Better explain, then actually implement the IPFW ALTQ-rule first-match policy. It may be used to provide more detailed classification of traffic without actually having to decide its fate at the time of classification. MFC after: 1 week --- sbin/ipfw/ipfw.8 | 15 +++++++++++++-- sys/netinet/ip_fw2.c | 3 +++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 55f8b77ce833..86d89d34b44c 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -565,7 +565,18 @@ processed, it will not be tagged, so it is wise to make your ALTQ "default" queue policy account for this. If multiple .Cm altq -rules match a single packet, subsequent tags are ignored by ALTQ. +rules match a single packet, only the first one adds the ALTQ classification +tag. +In doing so, traffic may be shaped by using +.Cm count Cm altq Ar queue +rules for classification early in the ruleset, then later applying +the filtering decision. +For example, +.Cm check-state +and +.Cm keep-state +rules may come later and provide the actual filtering decisions in +addition to the fallback ALTQ tag. .Pp You must run .Xr pfctl 8 @@ -573,7 +584,7 @@ to set up the queues before IPFW will be able to look them up by name, and if the ALTQ disciplines are rearranged, the rules in containing the queue identifiers in the kernel will likely have gone stale and need to be reloaded. -Stale queue identifiers will probably misclassify +Stale queue identifiers will probably result in misclassification. .Pp All system ALTQ processing can be turned on or off via .Nm diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 82119770cfbe..609f40bda929 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -2551,6 +2551,9 @@ do { \ ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd; match = 1; + mtag = m_tag_find(m, PACKET_TAG_PF_QID, NULL); + if (mtag != NULL) + break; mtag = m_tag_get(PACKET_TAG_PF_QID, sizeof(struct altq_tag), M_NOWAIT);