Проблема с очередями

Здравствуйте, у меня возникла проблема с очередями. Вот конфиг pf.conf:

ext_if = "tun0"
int_if = "re0"
int_me = "192.168.1.10"
int_fa = "192.168.1.11"
int_mo = "192.168.1.12"
port_allowed = "{ www ntp 27015 }"

set block-policy return
set skip on { lo }

match in all scrub (no-df)

altq on $ext_if priq bandwidth 600Kb queue { std_in hlds_in speed_in }
queue std_in priq (default)
queue hlds_in priority 6
queue speed_in priority 7

altq on $int_if cbq bandwidth 1.8Mb queue { std_out me_out fa_out mo_out speed_out }
queue std_out bandwidth 35% cbq (default, borrow)
queue me_out bandwidth 20% priority 4 cbq (borrow)
queue fa_out bandwidth 20% cbq (borrow)
queue mo_out bandwidth 20% cbq (borrow)
queue speed_out bandwidth 5% priority 7 cbq (borrow)

nat on $ext_if inet from $int_if:network to any -> ($ext_if)

antispoof quick for { $ext_if } inet

block in
pass out
pass in on $int_if inet from $int_if:network to any

pass out on $ext_if inet proto { tcp udp } from any to any port 27000:27015 queue (hlds_in, speed_in)

pass out on $int_if inet from any to $int_me queue (me_out, speed_out)
pass out on $int_if inet from any to $int_mo queue (mother_out, speed_out)
pass out on $int_if inet from any to $int_fa queue (father_out, speed_out)

pass in on $ext_if inet proto { tcp udp } from any to ($ext_if) port $port_allowed
pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type { echoreq unreach }

использую openbsd 4.6
ext_if - внешний интерфейс
int_if - внутренний интерфейс
Ну так вот, мне нужно разделить скорость между 3 компами (me, mo, fa) и я отправляю трафик в очереди, но весь трафик идет в очередь по умолчанию. Исходящий трафик также весь идет через очередь по умолчанию. Все начинает работать только если изменить правило типа

pass out on $int_if inet from any to $int_me queue (me_out, speed_out)

на

pass in on $int_if inet from $int_me to any queue (me_out, speed_out)

Я что-то не понимаю как правильно, и почему первый вариант не работает, я его взял из официальной документации...

Аватар пользователя test00

nat on $ext_if inet from

nat on $ext_if inet from $int_if:network to any -> ($ext_if)

Про изменение синтаксиса PF в последней версии OpenBSD вы в курсе? FAQ на этот момент ещё не подправлен, и там старый синтаксис: http://www.openbsd.org/faq/upgrade47.html#before

Аватар пользователя ENcrypted

Old school syntax

According to old school "in order to queue packets you have to keep state, eg pass in ... queue abc keep state".
State creates then you send your first TCP-pkt with SYN-flag set.
In order to queue up you have to 'pass in' pkt in correct queue, then you can 'pass out' through the same queue.

In your case, you have to add both rules to the config.
As I do:

pass in quick on $int_if proto tcp from $cerberus_ip to any flags S/SA tag C_INT_PRIO keep state queue(int_c_def,int_c_prio)
pass out quick on $int_if proto tcp from any to $cerberus_ip flags S/SA tag C_INT_PRIO keep state queue(int_c_def,int_c_prio)
pass in quick on $int_if from $cerberus_ip to any tag C_INT_IN keep state queue int_c_def
pass out quick on $int_if from any to $cerberus_ip tag C_INT_IN keep state queue int_c_def