Bug #7594
closed
"vtnet: driver does not support altq" following upgrade to 2.4 (worked in pfSense 2.3)
100%
Description
Decided to try 2.4 today so I upgraded a clone of my 2.3.5 snapshot firewall. The upgrade went reasonably well, except for an issue with ALTQ support and vtnet(4) that silently prevented the firewall from loading any rules.
I was running ALTQ on my 2.3.5 system with no issues, but ALTQ is definitely broken on vtnet on 2.4. Silent breakage of the firewall is a somewhat catastrophic side-effect - perhaps this should be a separate bug report?
A search of previously reported bugs shows similar issues #7219 and #3770.
Affected release:
2.4.0-BETA (amd64)
built on Sat May 20 19:05:22 CDT 2017
FreeBSD 11.0-RELEASE-p10
Alerts similar to the following were present in the logs:
May 21 15:44:01 pfsense php-fpm59113: /rc.filter_configure_sync: New alert found: There were error(s) loading the rules: pfctl: vtnet1: driver does not support altq - The line in question reads [0]:
Updated by
Updated by T S about 7 years ago
I can confirm that Traffic Shaping is broken on VTNET Interfaces.
If active the Firewall / PortForward Rules don't work.
System:
Virtualized on Proxmox 5.0
2.4.0-RC (amd64)
built on Fri Sep 15 16:04:53 CDT 2017
FreeBSD 11.0-RELEASE-p12
Updated by John Silva about 7 years ago
What are the chances of getting this fixed for 2.4-RELEASE? Similar bugs (https://redmine.pfsense.org/issues/7869) seem to be getting more love.
Updated by Anonymous
Updated by Jim Pingle about 7 years ago
- Target version changed from 2.4.1 to 2.4.2
Updated by Casey Stone about 7 years ago
Hello -- yes, this hit me just now. A bit painful and surprising. For now I deactivated traffic shaping and it seems to have started working. I hope this gets fixed soon. Thanks.
Updated by Luiz Souza about 7 years ago
- Assignee changed from Renato Botelho to Luiz Souza
Updated by Luiz Souza about 7 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Fixed in the next snapshot.
Updated by Luiz Souza about 7 years ago
- Status changed from Feedback to Resolved
Updated by T S about 7 years ago
T S wrote:
I can confirm that Traffic Shaping is broken on VTNET Interfaces.
If active the Firewall / PortForward Rules don't work.System:
Virtualized on Proxmox 5.0
2.4.0-RC (amd64)
built on Fri Sep 15 16:04:53 CDT 2017
FreeBSD 11.0-RELEASE-p12
Hello,
the issue still exists with the newest 2.4.2 snapshot (tested yesterday).
Virtualized pfsense with virtio driver on proxmox VE 5.0
Thank you,
Updated by John Silva about 7 years ago
Just updated to current and traffic shaping is still working for me. Maybe your queue config is triggering something mine is not. Below is my config for reference.
[2.4.2-DEVELOPMENT][root@firewall]/root: uname -a FreeBSD firewall 11.1-RELEASE-p3 FreeBSD 11.1-RELEASE-p3 #364 r313908+eb0c0028f5c(RELENG_2_4): Fri Nov 3 23:02:31 CDT 2017 root@buildbot2.netgate.com:/builder/ce/tmp/obj/builder/ce/tmp/FreeBSD-src/sys/pfSense amd64 [2.4.2-DEVELOPMENT][root@firewall]/root: pfctl -sa | grep queue match on vtnet1 inet proto tcp from any to any port 6880 >< 7000 flags S/SA label "USER_RULE: m_P2P BitTorrent outbound" queue qP2P match on vtnet1 inet proto udp from any to any port 6880 >< 7000 label "USER_RULE: m_P2P BitTorrent outbound" queue qP2P match on vtnet1 inet proto tcp from any to any port 10039 >< 10061 flags S/SA label "USER_RULE: m_Game PS-Network-TCP outbound" queue(qGames, qACK) match on vtnet1 inet proto udp from any to any port 49999 >< 60001 label "USER_RULE: m_Game PS-Network-UDP outbound" queue qGames match on vtnet1 inet proto tcp from any to any port 3477 >< 3481 flags S/SA label "USER_RULE: m_Game PS-Home-TCP-1 outbound" queue(qGames, qACK) match on vtnet1 inet proto tcp from any to any port = 8080 flags S/SA label "USER_RULE: m_Game PS-Home-TCP-2 outbound" queue(qGames, qACK) match on vtnet1 inet proto tcp from any to any port = 5223 flags S/SA label "USER_RULE: m_Game PS-TCP-1 outbound" queue(qGames, qACK) match on vtnet1 inet proto tcp from any to any port 10069 >< 10081 flags S/SA label "USER_RULE: m_Game PS-TCP-2 outbound" queue(qGames, qACK) match on vtnet1 inet proto udp from any to any port 3477 >< 3480 label "USER_RULE: m_Game PS-UDP-1 outbound" queue qGames match on vtnet1 inet proto udp from any to any port = 3658 label "USER_RULE: m_Game PS-UDP-2 outbound" queue qGames match on vtnet1 inet proto udp from any to any port = 10070 label "USER_RULE: m_Game PS-UDP-3 outbound" queue qGames match on vtnet1 inet proto tcp from any to any port = 9293 flags S/SA label "USER_RULE: m_Game PS-RemotePlay outbound" queue(qGames, qACK) match on vtnet1 inet proto tcp from any to any port = http flags S/SA label "USER_RULE: m_Other HTTP outbound" queue(qOthersHigh, qACK) match on vtnet1 inet proto tcp from any to any port = https flags S/SA label "USER_RULE: m_Other HTTPS outbound" queue(qOthersHigh, qACK) match on vtnet1 inet proto tcp from any to any port = smtp flags S/SA label "USER_RULE: m_Other SMTP outbound" queue(qOthersHigh, qACK) match on vtnet1 inet proto tcp from any to any port = smtps flags S/SA label "USER_RULE: m_Other SMTP-Secure-1 outbound" queue(qOthersHigh, qACK) match on vtnet1 inet proto tcp from any to any port = submission flags S/SA label "USER_RULE: m_Other SMTP-Secure-2 outbound" queue(qOthersHigh, qACK) match on vtnet1 inet proto tcp from any to any port = imap flags S/SA label "USER_RULE: m_Other IMAP outbound" queue(qOthersHigh, qACK) match on vtnet1 inet proto tcp from any to any port = imaps flags S/SA label "USER_RULE: m_Other IMAP-Secure outbound" queue(qOthersHigh, qACK) match on vtnet1 inet proto tcp from any to any port = 5223 flags S/SA label "USER_RULE: m_Other APNS outbound" queue(qOthersHigh, qACK) match on vtnet1 inet proto tcp from any to any port 2194 >< 2197 flags S/SA label "USER_RULE: m_Other APNS outbound" queue(qOthersHigh, qACK) match on vtnet1 inet proto tcp from any to any port = 4282 flags S/SA label "USER_RULE: m_Other CrashPlan-1 outbound" queue(qOthersHigh, qACK) match on vtnet1 inet proto tcp from any to any port = 4285 flags S/SA label "USER_RULE: m_Other CrashPlan-2 outbound" queue(qOthersHigh, qACK) match on vtnet1 inet proto tcp from any to any port = domain flags S/SA label "USER_RULE: m_Other DNS1 outbound" queue(qOthersHigh, qACK) match on vtnet1 inet proto udp from any to any port = domain label "USER_RULE: m_Other DNS2 outbound" queue qOthersHigh match on vtnet1 inet proto tcp from any to any port = git flags S/SA label "USER_RULE: m_Other git outbound" queue(qOthersHigh, qACK) queue qACK on vtnet1 priority 6 priq( red ecn ) queue qDefault on vtnet1 priority 3 priq( red ecn default ) queue qP2P on vtnet1 priq( red ecn ) queue qGames on vtnet1 priority 5 priq( red ecn ) queue qOthersHigh on vtnet1 priority 4 priq( red ecn ) queue qOthersLow on vtnet1 priority 2 priq( red ecn ) queue qLink on vtnet0 priority 2 qlimit 500 priq( red ecn default ) queue qACK on vtnet0 priority 6 priq( red ecn ) queue qP2P on vtnet0 priq( red ecn ) queue qGames on vtnet0 priority 5 priq( red ecn ) queue qOthersHigh on vtnet0 priority 4 priq( red ecn ) queue qOthersLow on vtnet0 priority 3 priq( red ecn ) queue qLink on vtnet0.10 priority 2 qlimit 500 priq( red ecn default ) queue qACK on vtnet0.10 priority 6 priq( red ecn ) queue qP2P on vtnet0.10 priq( red ecn ) queue qGames on vtnet0.10 priority 5 priq( red ecn ) queue qOthersHigh on vtnet0.10 priority 4 priq( red ecn ) queue qOthersLow on vtnet0.10 priority 3 priq( red ecn ) queue qLink on vtnet2 priority 2 qlimit 500 priq( red ecn default ) queue qACK on vtnet2 priority 6 priq( red ecn ) queue qP2P on vtnet2 priq( red ecn ) queue qGames on vtnet2 priority 5 priq( red ecn ) queue qOthersHigh on vtnet2 priority 4 priq( red ecn ) queue qOthersLow on vtnet2 priority 3 priq( red ecn )