Bug #670
closedDiffserv Code Point in firewall rule isn't match with the result of "pfctl-sr"
0%
Description
http://forum.pfsense.org/index.php/topic,26044.0.html
when I cretaed a rule with "Diffserv Code Point" like here :
/tmp/rules.debug
pass out quick on { re0 } proto tcp from any to 192.168.55.0/24 dscp af12 flags S/SA keep state queue (local) label "USER_RULE"
#pfctl -sr
pass out quick on re0 inet proto tcp from any to 192.168.55.0/24 flags S/SA dscp 0x30 keep state label "USER_RULE" queue local
dscp 0x30 is not true mapping of dscp af12 ,
Here are the mapping of dscp and TOS in hex and binnary format.
TOS hex binary DSCP hex binary Classid AFClass
40 0x28 00101000 10 0x0a 00001010 1:111 AF 11
48 0x30 00110000 12 0x0c 00001100 1:112 AF 12
56 0x38 00111000 14 0x0e 00001110 1:113 AF 13
72 0x48 01001000 18 0x12 00010010 1:121 AF 21
80 0x50 01010000 20 0x14 00010100 1:122 AF 22
88 0x58 01011000 22 0x16 00010110 1:123 AF 23
104 0x68 01101000 26 0x1a 00011010 1:131 AF 31
112 0x70 01110000 28 0x1c 00011100 1:132 AF 32
120 0x78 01111000 30 0x1e 00011110 1:133 AF 33
136 0x88 10001000 34 0x22 00100010 1:141 AF 41
144 0x90 10010000 36 0x24 00100100 1:142 AF 42
152 0x98 10011000 38 0x26 00100110 1:143 AF 43
Updated by Ermal Luçi over 14 years ago
- Status changed from New to Feedback
We have these defined now:
#define DSCP_MASK 0xfc #define DSCP_CUMASK 0x03 #define DSCP_EF 0xb8 #define DSCP_AF11 0x28 #define DSCP_AF12 0x30 #define DSCP_AF13 0x38 #define DSCP_AF21 0x48 #define DSCP_AF22 0x50 #define DSCP_AF23 0x58 #define DSCP_AF31 0x68 #define DSCP_AF32 0x70 #define DSCP_AF33 0x78 #define DSCP_AF41 0x88 #define DSCP_AF42 0x90 #define DSCP_AF43 0x98 #define AF_CLASSMASK 0xe0 #define AF_DROPPRECMASK 0x18
I think those are correct. So for me nothing need to be patched.
Updated by Ermal Luçi over 14 years ago
For history ticket #582 has useful links.
Updated by Ermal Luçi about 14 years ago
- Status changed from Feedback to Closed
The issue is that you are doing the calculation wrong.
AFAIK dscp values you see on Cisco site you have to add 00 at the end and not at the beggining.
So from cisco site
af12 Match packets with AF12 dscp (001100)
the real value(byte value) is in binary(00110000) and in hex(0x30) though for printing purposes the context is the real byte.
I would not like to make this printed as it was 0x0C since that value is with bit rotation right 2(>> 2) and is confusing but our definition is correct.