Bug #3921
closed
max-packets option missing from pfctl
100%
Description
using "divert port (max-packets 8)"
This causes pf to throw a syntax error since divert and max-packets don't appear to be valid in this version of pf.
Files
Updated by Steven Selph about 10 years ago
Sorry copy and paste issues meant to say
Rules are generated using "divert port (max-packets 8)"
Updated by Renato Botelho about 10 years ago
Could you share your config.xml sanitized?
Updated by Steven Selph about 10 years ago
- File config.xml config.xml added
Attached my config.xml. The l7 portion results in the following /tmp/rules.debug line:
pass in log quick on $GUEST inet proto { tcp udp } from 192.168.2.1/24 to any divert 45164 tracker 1412311190 keep state ( max-packets 8 ) label "USER_RULE"
Updated by Renato Botelho about 10 years ago
- Subject changed from Layer 7 (L7) rules have syntax errors to max-packets option missing from pfctl
- Assignee set to Renato Botelho
- Target version set to 2.2
max-packets option is missing from pfctl parser. I'm working on a fix
Updated by Renato Botelho about 10 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 1f237bb460b8ae7a8803adfb3a8b21b485131ab4.
Updated by Steven Selph about 10 years ago
This change seems to only address half the issue. The max-packets option still seems to be missing or is that something that isn't done in the pfsense source? If so I can test it when the next snapshot is built.
Updated by Renato Botelho about 10 years ago
Steven Selph wrote:
This change seems to only address half the issue. The max-packets option still seems to be missing or is that something that isn't done in the pfsense source? If so I can test it when the next snapshot is built.
I already added max-packets to the parser, please try new snapshots that are already available.
Updated by Steven Selph about 10 years ago
This seems to have corrected the syntax issues. There appears to be some performance issues now. I understand some performance hit is to be expected but this pegs my 1GHz CPU to 100% with a single machine loading web pages or requesting DNS. I also noticed that the rules created from the rules.debug don't have the max-packets in them which might explain it.
@92(1412311190) pass in log quick on em2 inet proto tcp from 192.168.2.0/24 to any flags S/SA keep state label "USER_RULE" divert-to 45164
@93(1412311190) pass in log quick on em2 inet proto udp from 192.168.2.0/24 to any keep state label "USER_RULE" divert-to 45164
Updated by Renato Botelho about 10 years ago
- Status changed from Feedback to New
Updated by Renato Botelho about 10 years ago
- Assignee changed from Renato Botelho to Ermal Luçi
Ermal LUÇI, Are you aware of these performance issues?
Updated by Ermal Luçi about 10 years ago
- Status changed from New to Feedback
Its expected and resolving this is not in plan for 2.2.
Also that is not what this ticket is about.
Updated by Chris Buechler about 10 years ago
- Status changed from Feedback to Resolved
issue here is resolved