From nobody Thu Nov 23 13:31:00 2023 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SbfBr6MZpz518sL for ; Thu, 23 Nov 2023 13:31:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4SbfBr5DsTz3V5S for ; Thu, 23 Nov 2023 13:31:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1700746260; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=O5fFOA1HJ9VFFJlGhTwZ58z3cxk0ibmgC5rX9lYzSi8=; b=qU8asFnngU9t4qttlN9U4CHoltFlycXpLyqSdiAuXKKmAXqMn7JSILWu8iVqcVDDWbMTZz Gq1af7VzeYmO/Zh0R1U//oviPXvPTlGdBWqb3mHPlpxIRA0M3HH0DpRbWKW3+oPXqH+Qvf s+tKE52duR1NJEd98AWYeF7hhuTL7HbuFd6AKRVC6LEZaAioWfHTug8lqogUyOX4G0VUXp kW6my0T1SMkSHdtQL3pjDchf7ipcJ+kjCKpe7KY9ZOj7Dp1dLzfyImHXdpNEBVxqV2hN03 C8fq/xktcL2UKsYL+lh3xvKtnso5tMkOvolyLE/SO8pdGNpLVN1wCqDo4HpTow== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1700746260; a=rsa-sha256; cv=none; b=Aj3bGhA01OHzHCPU6xyi9RrQFctUoiTwQguul2cK4SL4uGJbeRs07RzcVAvphpytghI0Xf b7Qcs6GJLsI47iCrH5jnp9sJtFzy1O2HPmQOfghseG/CAE31rToO+cd6jBfpiBLOjM6xWI c6XhLPpciMidd7rQLgFVTpd3k5xrdfmYZxG425Im17yTnlvNgVpsxHUOVp3EbBFdquR9xU mAPHHNeUxsN9oaJ0vHjknvvyHvv12FQqtAxGQFNBmQm3a7lEg4FMjZpESkbzGtMde720q2 //OJci9wMweafOXdfeb8sD2/nkvv73ngBJQBBh6Z87jEkpBhqyH/RpmYAEhOOQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4SbfBr4J1kz138l for ; Thu, 23 Nov 2023 13:31:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 3ANDV0Dr068893 for ; Thu, 23 Nov 2023 13:31:00 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 3ANDV0mK068892 for pf@FreeBSD.org; Thu, 23 Nov 2023 13:31:00 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 275280] PF `route-to` and `dnpipe` are not works on the same rule Date: Thu, 23 Nov 2023 13:31:00 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 14.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: burak.sn@outlook.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter cc Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D275280 Bug ID: 275280 Summary: PF `route-to` and `dnpipe` are not works on the same rule Product: Base System Version: 14.0-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: burak.sn@outlook.com CC: pf@FreeBSD.org Hi, I am trying to implement IP-based speed limiting on PF using the `route-to`= and `dnpipe` options simultaneously within a single PF rule. igc0(WAN2) ---- ip: 192.168.11.240/24 gw: 192.168.11.1 (default gw)pppoe_igc1(WAN1) ---- 88.88.88.88/32 --> 100.64.255.2 igc3(LAN) ---- ip: 192.168.1.1/24 When I didn't use `route-to`, the traffic passed through the default gatewa= y, and speed limiting worked successfully. pass in log quick on igc3 inet from 192.168.1.236 to any flags S/SA keep st= ate label "user_rule_98" ridentifier 98 dnpipe(1006, 6) However, when I applied both route-to and dnpipe options, the traffic was recognized by PF as coming from WAN2 (igc0), as shown in the tcpdump logs below, and the traffic didn't pass through WAN2. WAN2 was forced to pass through WAN1 by route-to. pass in log quick on igc3 route-to (igc0 192.168.11.1) inet from 192.168.1.= 236 to any flags S/SA keep state label "user_rule_99" ridentifier 99 dnpipe(100= 6, 6) Thanks in advance. # tcpdump -i pppoe_igc1 icmp and host 8.8.8.8 -n tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on pppoe_igc1, link-type NULL (BSD loopback), snapshot length 262= 144 bytes 15:52:28.652269 IP 192.168.11.240 > 8.8.8.8: ICMP echo request, id 50880, s= eq 102, length 64 15:52:29.654263 IP 192.168.11.240 > 8.8.8.8: ICMP echo request, id 50880, s= eq 103, length 64 15:52:30.658265 IP 192.168.11.240 > 8.8.8.8: ICMP echo request, id 50880, s= eq 104, length 64 ##dnpipe limiters## # dnctl pipe 6 show 00006: 10.000 Mbit/s 0 ms burst 0=20 q131078 50 sl. 0 flows (1 buckets) sched 65542 weight 0 lmax 0 pri 0 dropt= ail sched 65542 type FIFO flags 0x1 64 buckets 0 active mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 # dnctl pipe 1006 show 01006: 512.000 Kbit/s 0 ms burst 0=20 q132078 50 sl. 0 flows (1 buckets) sched 66542 weight 0 lmax 0 pri 0 dropt= ail sched 66542 type FIFO flags 0x1 64 buckets 0 active mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 --=20 You are receiving this mail because: You are on the CC list for the bug.=