Project

General

Profile

Actions
Copy link

Bug #14128

open

Input validation does not prevent limiter bandwidth values that are too large

Added by Marcos M about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Traffic Shaper (Limiters)
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.7.0
Affected Architecture:

Description

There exists a limit to the bandwidth value within Limiters:
https://github.com/pfsense/FreeBSD-src/blob/bd5b6c0d6ccaa6b8316669d745c407a1260f453a/sbin/ipfw/dummynet.c#L833

The highest supported bw value and type in pfSense is 4294 Mbit/s which results in the following /tmp/rules.limiter:

pipe 1 config  bw 4294Mb queue 3000 codel target 5ms interval 100ms ecn
sched 1 config pipe 1 type fq_codel target 5ms interval 100ms quantum 1514 limit 10240 flows 1024 ecn

pipe 2 config  bw 4294Mb queue 3000 codel target 5ms interval 100ms ecn
sched 2 config pipe 2 type fq_codel target 5ms interval 100ms quantum 1514 limit 10240 flows 1024 ecn

Higher values will fail to create the pipes and show the following in system logs:

Mar 19 17:33:31 php-fpm 14018 /rc.filter_configure_sync: The command '/sbin/dnctl /tmp/rules.limiter' returned exit code '65', the output was 'Line 2: bandwidth too large'

However, the pfSense GUI does not warn about the limit, and allows rules to be created using the invalid configuration. Traffic that is placed into the invalid pipes/queues fails.

No data to display

Actions
Copy link

Also available in: Atom PDF