FreeBSD Enable PF ALTQ Firewall Support

by on October 2, 2008 · 3 comments· LAST UPDATED October 2, 2008

in , ,

Q. Under FreeBSD 7.0 patch level 5, I'm getting following warning message:

Enabling pf.
No ALTQ support in kernel
ALTQ related functions disabled
No ALTQ support in kernel

I need ALTQ support for my FreeBSD box. How do I enable ALTQ for Class Based Queuing (CBQ) to divide a connection's bandwidth into different classes or queues to prioritize traffic based on filter rules?

A. ALTQ - alternate queuing of network packets provides several disciplines for queuing outgoing network packets. This is done by modifications to the interface packet queues. This is useful for traffic shaping and other advanced usage.

WARNING! These examples may not work with your FreeBSD release as ALTQ is not supported by all of the available network card drivers. Please see the altq manual page for a list of drivers that are supported in your release of FreeBSD.

Fetch latest kernel source code

This is optional, but recommend so that you can build new kernel with latest version. To sync your source tree with the latest sources enter:
# csup /path/to/supfile
Please see cvsup tutorial for more information about syncing your source tree with the latest FreeBSD sources.

Open your kernel configuration file

Change directory to kernel configuration file:
# cd /usr/src/sys/`uname -m`/conf
If you are using vanilla kernel open GENERIC file:
# vi GENERIC
If you've previously created kernel configuration file called nixcraft, open it:
# vi nixcraft
Make sure following line pf kernel option exits:

device pf
device pflog
device pfsync

Add the following kernel options will enable ALTQ and add additional functionality:

options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build

Save and close the file.

Build FreeBSD kernel

To compile the kernel, enter :
# make buildkernel KERNCONF=nixcraft

To install the new kernel, enter:
# make installkernel KERNCONF=nixcraft

Where,

  • KERNCONF=nixcraft: My kernel configuration file name.

Finally, reboot system to boot into a new kernel:
# reboot

Further readings:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 3 comments… read them below or add one }

1 Britto October 3, 2008 at 10:13 am

Do we have the same functionality in RedHat Like operating systems ?

Reply

2 nixCraft October 3, 2008 at 11:25 am

Britto,

Use tc command, see
http://lartc.org/howto/

Reply

3 luka October 14, 2008 at 3:10 pm

You can avoid adding pf firewall exactly to your kernel conf file. Just take a look on the defaults list and take what you need…

#less /etc/defaults/rc.conf
…skipped…
pf_enable=”NO” # Set to YES to enable packet filter (pf)
pf_rules=”/etc/pf.conf” # rules definition file for pf
pf_program=”/sbin/pfctl” # where the pfctl program lives
pf_flags=”” # additional flags for pfctl
pflog_enable=”NO” # Set to YES to enable packet filter logging
pflog_logfile=”/var/log/pflog” # where pflogd should store the logfile
pflog_program=”/sbin/pflogd” # where the pflogd program lives
pflog_flags=”” # additional flags for pflogd
pfsync_enable=”NO” # Expose pf state to other hosts for syncing
pfsync_syncdev=”” # Interface for pfsync to work through
pfsync_syncpeer=”” # IP address of pfsync peer host
pfsync_ifconfig=”” # Additional options to ifconfig(8) for pfsync
…skipped…

Reply

Leave a Comment

Tagged as: , , , , , , , , , , ,

Previous Faq:

Next Faq: