Project

General

Profile

Actions

Bug #3098

closed

Advanced Options - Multiple State / Connection Controls Not Working

Added by ky41083 - over 11 years ago. Updated about 11 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
Start date:
07/20/2013
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:

Description

Issue: Set "Maximum state entries this rule can create" on a rule (I set this on my BitTorrent rule and my default outbound rule, see attached image) and the value is not respected.

Expected behavior: Any traffic matching this rule would be limited to the number of states (basically sessions, at least one state per session) you set this value too. Even if traffic is finding a way around the BitTorrent rule, the default outbound rule should still catch it.

Actual behavior: States / sessions are not limited at all, even on the default rule, and allow lan side hosts to quickly exceed the session limit on any upstream devices (like currently deployed AT&T VDSL routers that have a 1024 session limit, or a similarly extremely low global limit).

Additional Info: Every option under "Advanced Options" have no effect what so ever, according to /tmp/rules.debug, regardless of the value of "State Type". The following function in filter.inc, pointed out by phil.davis, does not apply any advanced options when set to "none":

$noadvoptions = false;
if(isset($rule['statetype']) && $rule['statetype'] <> "") {
switch($rule['statetype']) {
case "none":
$noadvoptions = true;
$aline['flags'] .= " no state ";
break;

Even when using the default value of "keep state" they are not applied what so ever, not even in the wrong place.

Advanced options are reported working and in /tmp/rules.debug by kejianshi on 2.0.3-RELEASE.

Attached is a screen shot of my rules as well as a copy of my /tmp/rules.debug with IP's masked and checked for consistency.

Absolutely none of the advanced options are being applied to any rules on any interface regardless of the state type set.


Files

rules.debug.txt (18 KB) rules.debug.txt /tmp/rules.debug ky41083 -, 07/20/2013 10:04 PM
pfSense LAN Rules.jpg (166 KB) pfSense LAN Rules.jpg Screen Shot of LAN Interface Rules ky41083 -, 07/20/2013 10:04 PM
filter.inc.patch (2.67 KB) filter.inc.patch ky41083 -, 07/23/2013 03:25 PM
Actions

Also available in: Atom PDF