Bug #3726
closedFirewall Rule with Diffserv Code Point not matching properly
0%
Description
I am using 2.1.4.
I have set up some simple traffic-shaping, and have several Floating firewall rules to send various types of traffic to the several queues I have set up. This is all working fine.
For example, consider this rule (in /tmp/rules.debug):
match inet proto tcp from any to any port 22 flags S/SA queue (qMedium,qACK) label "USER_RULE"
This works fine; when I am using scp to upload a file, pftop shows that the traffic is being put in the qMedium queue.
However, the problem comes when additionally trying to match on a Diffserv Code Point. I edited the above rule in the gui and under Advanced features also required it to match on the 0x02 Diffserv Code Point. That yielded this rule (in /tmp/rules.debug):
match inet proto tcp from any to any port 22 dscp 0x02 flags S/SA queue (qMedium,qACK) label "USER_RULE"
Now pftop shows that scp upload traffic goes into the default queue--qDefault, which indicates to me that it isn't matching this rule anymore.
I took a packet capture while the scp upload was going on, and I can see that the scp upload packets have a DSCP value of 0x02, so it seems to me that they should match the rule with "dscp 0x02" in it.
I have attached screenshot showing the DSCP value of an example packet.
If any more information would be helpful, or if there's anything else you'd like me to try, please let me know.
Thank you.
James Dietrich
Files