Project

General

Profile

Actions
Copy link

Regression #13178

closed

Incorrect usage of DSCP hex value

Added by Joshua Niles almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
Rules / NAT
Target version:
2.7.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

In the firewall UI, certain DSCP selections cause the rule to be created using a DSCP hex, rather than the ToS hex.

Here are two examples, comparing the output of pfctl when used in 2.5.2, 2.6.0, and 2.6.0 with the b7b78ea1b14555972efaf7e6c47e48709ad1c199 patch applied.

Relevant pfctl output, after selecting DSCP af41 during rule creation:
  • 2.5.2: dscp 0x88
  • 2.6.0: tos 0x88
  • 2.6.0 (patched): 0x88
Relevant pfctl output, after selecting DSCP cs1 during rule creation:
  • 2.5.2: dscp 0x20
  • 2.6.0: ERROR: "illegal tos value 8"
  • 2.6.0 (patched): tos 0x08

DSCP AF41 was matched correctly in each case, using the ToS hex. DSCP CS1, however, is not.
0x08 is the DSCP hex value for CS1, but pf is matching based on ToS values. For pf to match CS1 traffic, the rule should be using tos 0x20

This is probably a duplicate of #12803. Technically that was fixed since the ruleset will load but clearly there's still a problem. Apologies if this would have been more appropriate as a comment rather than a new issue.

Related to #12803 and #12846
Also: https://redmine.pfsense.org/issues/12040#note-1

Actions
Copy link

Also available in: Atom PDF