Regression #13178
closedIncorrect usage of DSCP hex value
100%
Description
In the firewall UI, certain DSCP selections cause the rule to be created using a DSCP hex, rather than the ToS hex.
Here are two examples, comparing the output of pfctl when used in 2.5.2, 2.6.0, and 2.6.0 with the b7b78ea1b14555972efaf7e6c47e48709ad1c199 patch applied.
Relevant pfctl output, after selecting DSCP af41 during rule creation:- 2.5.2: dscp 0x88
- 2.6.0: tos 0x88
- 2.6.0 (patched): 0x88
- 2.5.2: dscp 0x20
- 2.6.0: ERROR: "illegal tos value 8"
- 2.6.0 (patched): tos 0x08
DSCP AF41 was matched correctly in each case, using the ToS hex. DSCP CS1, however, is not.
0x08 is the DSCP hex value for CS1, but pf is matching based on ToS values. For pf to match CS1 traffic, the rule should be using tos 0x20
This is probably a duplicate of #12803. Technically that was fixed since the ruleset will load but clearly there's still a problem. Apologies if this would have been more appropriate as a comment rather than a new issue.
Related to #12803 and #12846
Also: https://redmine.pfsense.org/issues/12040#note-1