Regression #12954
closed
Traffic routed through DUMMYNET by PF fails when IPFW is enabled
0%
Description
If you have Limiters configured and are sending traffic through then using pf firewall rules that traffic can fail if it also runs through ipfw. That means if the captive portal is enabled on any interface.
Traffic using Limiters created by the captive portal is sent to dummynet by ipfw and passes correctly.
Not all traffic fails. For example if you have Limiters defined on LAN and run an iperf test from a client on LAN to a server on WAN a reverse test succeeds. The server is mostly sending traffic to the client but the client must send some traffic other way and that passes. If you run test the other way it fails almost immediately. It appears once queue is full:
Limiters: 00001: 20.000 Mbit/s 0 ms burst 0 q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail sched 65537 type FIFO flags 0x0 0 buckets 1 active BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 ip 0.0.0.0/0 0.0.0.0/0 2247555 1375041930 50 27537 37
Once it has failed no traffic an pass until the state has timed out. Other traffic still opens states in pf but no packets reach it:
LAN2 icmp 172.22.22.10:6 -> 8.8.8.8:6 0:0 0 / 0 0 B / 0 B
Tested in 22.01-REL and 2.6-REL.
The patch applied to correct the captive portal not passing does not help here.
Updated by Jim Pingle over 2 years ago
- Status changed from New to Feedback
- Assignee set to Steve Wheeler
Is this fixed now that the new code is all in?
Updated by Steve Wheeler over 2 years ago
- Status changed from Feedback to Resolved
Yes, this is solved in 22.05 now that ipfw is no longer used.
You can run Captive Portal and Limiters and pass traffic as expected.
Updated by Jim Pingle over 2 years ago
- Subject changed from Traffic routed through dummynet by pf fails if ipfw is enabled. to Traffic routed through DUMMYNET by PF fails when IPFW is enabled