Project

General

Profile

Bug #1575

Limiters are bypassed by local applications injecting rules

Added by Ermal Luçi almost 8 years ago. Updated 4 months ago.

Status:
Feedback
Priority:
Low
Assignee:
-
Category:
Limiters
Target version:
-
Start date:
06/02/2011
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

Taking a look at http://forum.pfsense.org/index.php/topic,37399.0.html
it would be good to teach the match action about limiters as well to avoid such kind of issues.

Associated revisions

Revision 84464c9a (diff)
Added by Ermal Luçi over 6 years ago

Fixes #1575. Allow Match option to be used with limiters as well. The support is there in kernel so allow rules to be configured on this.

History

#1 Updated by Chris Buechler almost 8 years ago

  • Target version deleted (2.0)

#2 Updated by Nikolay Stoyanov about 7 years ago

I have same problem in latest 2.0.1-RELEASE.
http://forum.pfsense.org/index.php/topic,46469.0.html

#3 Updated by Bipin Chandra over 6 years ago

will this be fixed or is it fixed in 2.1?

#4 Updated by Ermal Luçi over 6 years ago

Normally this can be overcommed with match rules on floating tab.
It is present there on 2.1 and i am pushing the fix to allow the rule for limiters as well.

Just create a Match rule under floating rules with limiters you want and it would be applied to these rules.

#5 Updated by Ermal Luçi over 6 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#6 Updated by Bipin Chandra over 6 years ago

does seem to work still, upnp devices bypass limiter

#7 Updated by Ermal Luçi over 6 years ago

Can you provide any analysis of how you do your checking?
Also provide a

ipfw pipe show
ipfw queue show
pfctl -vvsr
pfctl -vvsn
pfctl -a miniupnpd -vvsn
pfctl -a miniupnpd -vvsr

#8 Updated by Bipin Chandra over 6 years ago

this was discussed here
http://forum.pfsense.org/index.php/topic,56092.0.html

the easy way to test this is, enable upnp, create limiters, create match rules under floating tab with limiters applied then u first do a speed test and it will be limited fine, now that same speed limit should apply but start a torrent download using utorrent or any such software and make it open a random port using upnp and then notice the download and upload speed exceed the limiter value and this way u know it never works once any application tries to open a port using upnp, the limiter almost becomes dead, it does work fine for other ports not opened by upnp

#9 Updated by Ermal Luçi over 6 years ago

In that forum post i do not see any limiters configured on the ruleset posted.
So please provide the information if you want this to be pursued.

#10 Updated by Bipin Chandra over 6 years ago

plz remove post after u have read it

#11 Updated by Ermal Luçi over 6 years ago

Can you try by removing the quick option on the match rules, if you have selected it?

#12 Updated by Bipin Chandra over 6 years ago

yes its ticked, trying without that now but if we untick then i guess in the past there was a problem of traffic for those clients not going to proper queues and i guess u only mentioned in the forum a very long time back that it needs to be ticked but for now i didnt assign any queues to those rules so no issues

#13 Updated by Bipin Chandra over 6 years ago

tried it still same, clients upload speed exceeds limiter values

#14 Updated by Chris Buechler over 4 years ago

  • Category set to Limiters
  • Affected Version changed from 2.0 to All
  • Affected Documentation 0 added

#15 Updated by James Dekker 4 months ago

Is this issue still present in the latest development build?

Also available in: Atom PDF