pfSense

Regression #14039

Updated by Marcos M almost 2 years ago

Upload traffic is not limited if the rule passing the traffic uses @route-to@. This last worked in pfSense+ 22.01 and pfSense CE 2.6.0. See https://redmine.pfsense.org/issues/13026#note-15: 

 > Essentially what happens is that we have two states: 
 > <pre> 
 all tcp 10.0.2.1:5201 <- 192.168.1.100:44607         ESTABLISHED:ESTABLISHED 
    [2078351244 + 3221291264] wscale 6    [1276678361 + 2419064832] wscale 6 
    age 00:00:03, expires in 24:00:00, 122313:60993 pkts, 183465201:3171644 bytes, rule 81 
    id: a5627f6300000000 creatorid: a17f7a2e gateway: 1.0.2.1 
    origif: vtnet2 
 all tcp 1.0.2.78:50878 (192.168.1.100:44607) -> 10.0.2.1:5201         ESTABLISHED:ESTABLISHED 
    [1276678361 + 2419064832] wscale 6    [2078351244 + 3221291264] wscale 6 
    age 00:00:03, expires in 24:00:00, 122313:60993 pkts, 183465201:3171644 bytes, rule 77 
    id: a6627f6300000000 creatorid: a17f7a2e gateway: 1.0.2.1 
    origif: vtnet0 
 </pre> 
 > The first state is created by the rule with the limiter, but because that rule also does route-to the packet is passed through pf_test() a second time, which creates the second state. That second state is created by a rule which doesn't have the limiter associated, and that means that when it matches the limiter is not applied. It's that second state that ends up matching incoming packets, so the limiter doesn't get applied there. 

 This last worked in pfSense+ 22.01 and pfSense CE 2.6.0.

Back