Project

General

Profile

Actions

Bug #13148

closed

Traffic passed by Captive Portal cannot use limiter queues on other rules

Added by Steve Wheeler almost 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Category:
Captive Portal
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default
Affected Version:
2.7.0
Affected Architecture:
All

Description

Traffic that has been passed by the captive portal on an interface will fail if it passed into a dummynet queue by other rules.

So for example if you have OUT rules on WAN that are using Limiters with queues defined.

pass out quick on em0 route-to (em0 172.21.16.1) inet proto tcp all flags S/SA keep state label "id:1652095021" label "gw:WAN_DHCP" label "USER_RULE: Allow all Limited OUT" dnqueue(1, 4) ridentifier 1652095021

It does not fail if the rules put traffic into pipes directly:

pass out quick on em0 route-to (em0 172.21.16.1) inet proto tcp all flags S/SA keep state label "id:1652095021" label "gw:WAN_DHCP" label "USER_RULE: Allow all Limited OUT" dnpipe(1, 2) ridentifier 1652095021

Traffic that has not passed the captive portal, such as from the firewall itself, passes as expected with pipes or queues.

Tested: 22.05.b.20220510.1811

Actions #1

Updated by Kristof Provost almost 2 years ago

Do you have anything special configured for captive portal? Bandwidth restrictions or something?

I've tried to replicate this here, and can pass traffic just fine with this rule:

@95 pass out quick on vtnet0 route-to (vtnet0 1.0.2.1) inet proto tcp all flags S/SA keep state label "id:1652268183" label "gw:WAN_DHCP" label "USER_RULE" dnqueue(1, 2) ridentifier 1652268183
Actions #2

Updated by Kristof Provost almost 2 years ago

It looks like you need to have multiple queues defined on the pipe for this to manifest.

Actions #4

Updated by Viktor Gurov almost 2 years ago

  • Status changed from New to Feedback
  • Assignee set to Kristof Provost
  • Release Notes changed from Default to Force Exclusion
  • Affected Version set to 2.7.0
Actions #5

Updated by Reid Linnemann almost 2 years ago

  • Status changed from Feedback to Assigned

This appears to still be broken.

Actions #6

Updated by Reid Linnemann almost 2 years ago

  • Target version changed from 2.7.0 to CE-Next
  • Plus Target Version changed from 22.05 to Plus-Next
Actions #7

Updated by Jim Pingle almost 2 years ago

  • Target version changed from CE-Next to 2.7.0
  • Plus Target Version changed from Plus-Next to 22.09
Actions #8

Updated by Jim Pingle over 1 year ago

  • Plus Target Version changed from 22.09 to 22.11
Actions #9

Updated by Jim Pingle over 1 year ago

  • Plus Target Version changed from 22.11 to 23.01
Actions #10

Updated by Kristof Provost over 1 year ago

  • Status changed from Assigned to Ready To Test

My understanding is that this is fixed, but that Reid had an unrelated issue. @Reid, can you confirm?

Actions #11

Updated by Marcos M over 1 year ago

  • Status changed from Ready To Test to Resolved
  • Private changed from Yes to No
  • Release Notes changed from Force Exclusion to Default

Tested on latest snap - this is indeed fixed.

Actions #12

Updated by Jim Pingle over 1 year ago

  • Subject changed from Traffic passed by the captive portal cannot use additional dummynet queues to Traffic passed by Captive Portal cannot use limiter queues on other rules

Updating subject for release notes.

Actions

Also available in: Atom PDF