Bug #3098
closed
Advanced Options - Multiple State / Connection Controls Not Working
0%
Description
Issue: Set "Maximum state entries this rule can create" on a rule (I set this on my BitTorrent rule and my default outbound rule, see attached image) and the value is not respected.
Expected behavior: Any traffic matching this rule would be limited to the number of states (basically sessions, at least one state per session) you set this value too. Even if traffic is finding a way around the BitTorrent rule, the default outbound rule should still catch it.
Actual behavior: States / sessions are not limited at all, even on the default rule, and allow lan side hosts to quickly exceed the session limit on any upstream devices (like currently deployed AT&T VDSL routers that have a 1024 session limit, or a similarly extremely low global limit).
Additional Info: Every option under "Advanced Options" have no effect what so ever, according to /tmp/rules.debug, regardless of the value of "State Type". The following function in filter.inc, pointed out by phil.davis, does not apply any advanced options when set to "none":
$noadvoptions = false;
if(isset($rule['statetype']) && $rule['statetype'] <> "") {
switch($rule['statetype']) {
case "none":
$noadvoptions = true;
$aline['flags'] .= " no state ";
break;
Even when using the default value of "keep state" they are not applied what so ever, not even in the wrong place.
Advanced options are reported working and in /tmp/rules.debug by kejianshi on 2.0.3-RELEASE.
Attached is a screen shot of my rules as well as a copy of my /tmp/rules.debug with IP's masked and checked for consistency.
Absolutely none of the advanced options are being applied to any rules on any interface regardless of the state type set.
Files
| rules.debug.txt (18 KB) rules.debug.txt | /tmp/rules.debug | ||
| pfSense LAN Rules.jpg (166 KB) pfSense LAN Rules.jpg | Screen Shot of LAN Interface Rules | ||
| filter.inc.patch (2.67 KB) filter.inc.patch |
Updated by ky41083 - 
Updated by 
Updated by 
Updated by 