Date: Thu, 23 Nov 2023 13:31:00 +0000 From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 275280] PF `route-to` and `dnpipe` are not works on the same rule Message-ID: <bug-275280-16861@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D275280 Bug ID: 275280 Summary: PF `route-to` and `dnpipe` are not works on the same rule Product: Base System Version: 14.0-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: burak.sn@outlook.com CC: pf@FreeBSD.org Hi, I am trying to implement IP-based speed limiting on PF using the `route-to`= and `dnpipe` options simultaneously within a single PF rule. igc0(WAN2) ---- ip: 192.168.11.240/24 gw: 192.168.11.1 (default gw)pppoe_igc1(WAN1) ---- 88.88.88.88/32 --> 100.64.255.2 igc3(LAN) ---- ip: 192.168.1.1/24 When I didn't use `route-to`, the traffic passed through the default gatewa= y, and speed limiting worked successfully. pass in log quick on igc3 inet from 192.168.1.236 to any flags S/SA keep st= ate label "user_rule_98" ridentifier 98 dnpipe(1006, 6) However, when I applied both route-to and dnpipe options, the traffic was recognized by PF as coming from WAN2 (igc0), as shown in the tcpdump logs below, and the traffic didn't pass through WAN2. WAN2 was forced to pass through WAN1 by route-to. pass in log quick on igc3 route-to (igc0 192.168.11.1) inet from 192.168.1.= 236 to any flags S/SA keep state label "user_rule_99" ridentifier 99 dnpipe(100= 6, 6) Thanks in advance. # tcpdump -i pppoe_igc1 icmp and host 8.8.8.8 -n tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on pppoe_igc1, link-type NULL (BSD loopback), snapshot length 262= 144 bytes 15:52:28.652269 IP 192.168.11.240 > 8.8.8.8: ICMP echo request, id 50880, s= eq 102, length 64 15:52:29.654263 IP 192.168.11.240 > 8.8.8.8: ICMP echo request, id 50880, s= eq 103, length 64 15:52:30.658265 IP 192.168.11.240 > 8.8.8.8: ICMP echo request, id 50880, s= eq 104, length 64 ##dnpipe limiters## # dnctl pipe 6 show 00006: 10.000 Mbit/s 0 ms burst 0=20 q131078 50 sl. 0 flows (1 buckets) sched 65542 weight 0 lmax 0 pri 0 dropt= ail sched 65542 type FIFO flags 0x1 64 buckets 0 active mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 # dnctl pipe 1006 show 01006: 512.000 Kbit/s 0 ms burst 0=20 q132078 50 sl. 0 flows (1 buckets) sched 66542 weight 0 lmax 0 pri 0 dropt= ail sched 66542 type FIFO flags 0x1 64 buckets 0 active mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-275280-16861>