Project

General

Profile

Actions

Bug #670

closed

Diffserv Code Point in firewall rule isn't match with the result of "pfctl-sr"

Added by Lulik Kurnianto over 14 years ago. Updated about 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Traffic Shaper (ALTQ)
Target version:
Start date:
06/17/2010
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

http://forum.pfsense.org/index.php/topic,26044.0.html

when I cretaed a rule with "Diffserv Code Point" like here :

/tmp/rules.debug
pass out quick on { re0 } proto tcp from any to 192.168.55.0/24 dscp af12 flags S/SA keep state queue (local) label "USER_RULE"

#pfctl -sr
pass out quick on re0 inet proto tcp from any to 192.168.55.0/24 flags S/SA dscp 0x30 keep state label "USER_RULE" queue local

dscp 0x30 is not true mapping of dscp af12 ,
Here are the mapping of dscp and TOS in hex and binnary format.
TOS hex binary DSCP hex binary Classid AFClass
40 0x28 00101000 10 0x0a 00001010 1:111 AF 11
48 0x30 00110000 12 0x0c 00001100 1:112 AF 12
56 0x38 00111000 14 0x0e 00001110 1:113 AF 13
72 0x48 01001000 18 0x12 00010010 1:121 AF 21
80 0x50 01010000 20 0x14 00010100 1:122 AF 22
88 0x58 01011000 22 0x16 00010110 1:123 AF 23
104 0x68 01101000 26 0x1a 00011010 1:131 AF 31
112 0x70 01110000 28 0x1c 00011100 1:132 AF 32
120 0x78 01111000 30 0x1e 00011110 1:133 AF 33
136 0x88 10001000 34 0x22 00100010 1:141 AF 41
144 0x90 10010000 36 0x24 00100100 1:142 AF 42
152 0x98 10011000 38 0x26 00100110 1:143 AF 43

Actions #1

Updated by Ermal Luçi over 14 years ago

  • Status changed from New to Feedback

We have these defined now:

#define DSCP_MASK       0xfc
#define DSCP_CUMASK     0x03
#define DSCP_EF         0xb8
#define DSCP_AF11       0x28
#define DSCP_AF12       0x30
#define DSCP_AF13       0x38
#define DSCP_AF21       0x48
#define DSCP_AF22       0x50
#define DSCP_AF23       0x58
#define DSCP_AF31       0x68
#define DSCP_AF32       0x70
#define DSCP_AF33       0x78
#define DSCP_AF41       0x88
#define DSCP_AF42       0x90
#define DSCP_AF43       0x98
#define AF_CLASSMASK            0xe0
#define AF_DROPPRECMASK         0x18

I think those are correct. So for me nothing need to be patched.

Actions #2

Updated by Ermal Luçi over 14 years ago

For history ticket #582 has useful links.

Actions #3

Updated by Ermal Luçi about 14 years ago

  • Status changed from Feedback to Closed

The issue is that you are doing the calculation wrong.
AFAIK dscp values you see on Cisco site you have to add 00 at the end and not at the beggining.
So from cisco site

af12     Match packets with AF12 dscp (001100)

the real value(byte value) is in binary(00110000) and in hex(0x30) though for printing purposes the context is the real byte.
I would not like to make this printed as it was 0x0C since that value is with bit rotation right 2(>> 2) and is confusing but our definition is correct.

Actions

Also available in: Atom PDF