[pfSense] IPv6 Match / Queue

Giles Davis Sat, 05 Apr 2014 11:46:22 -0700

Hi all,

Wondering if anyone else has come across weirdness with queue'ing IPv6
traffic with PF / PFSense at all (or could perhaps point out my derps)? :)


As far as I can tell, 'Match' rules just plain don't seem work to queue
v6 traffic, whereas they work just fine with v4. Behaviour seems to be
the same on 2.1 and 2.1.1.

In the proess of trying to hunt down where this is going wrong, i've got:

A match rule for all IPv4 TCP [From rules.debug]:
match log  on {  bge0  } inet proto tcp  from any to any flags S/SA 
queue (qIPV4,qACK)  label "USER_RULE: Match v4 TCP LAN"
.... This works fine, all v4/TCP traffic matches and falls into the
qIPV4 queue just as it should do. No issues here.

However with a match rules for all IPv6 TCP [From rules.debug]:
match log  on {  bge0  } inet6 proto tcp  from any to any flags S/SA 
queue (qIPV6,qACK)  label "USER_RULE: Match v6 TCP LAN"
.... This doesn't cause IPv6 traffic to fall into the qIPV6 queue as you
would expect - it just hits the default queue. :(

The rule seems to have gone in just fine:
[2.1.1-RELEASE][[email protected]]/root(8): pfctl -vvvs rules |
grep 'inet6 proto tcp all'
@64 match log on bge0 inet6 proto tcp all flags S/SA label "USER_RULE:
Match v6 TCP LAN" queue(qIPV6, qACK)

And furthermore, traffic seems to match the rule just fine too:
[2.1.1-RELEASE][[email protected]]/root(1): tcpdump -n -e -ttt -i
pflog0
<snip>
00:00:23.541557 rule 64/0(match): unkn(11) in on bge0: [|ip6]
00:00:00.633186 rule 64/0(match): unkn(11) in on bge0: [|ip6]
00:00:00.664269 rule 64/0(match): unkn(11) in on bge0: [|ip6]
<snip>
.... but yet the v6 traffic always just falls into the Default queue all
the same where v4 traffic ends up queue'd in the specified queue perfectly.

It seems I can make IPv6 traffic match a queue by using Pass/Quick:
pass log  quick  on {  bge0  } inet6 proto tcp  from any to
2001:4db0:10:1::2 flags S/SA keep state  queue (qIPV6,qACK)  label
"USER_RULE: Pass/Quick"
.... This does seem to drop traffic to this destination into the correct
queue as expected - but this breaks the nice flexibilty of being able to
have a whole pile of 'Floating' Match rules for traffic shaping coupled
with 'Interface' Pass / Drop rules to actually firewall traffic as required.

My google-fu seems to be failing me on finding much in the way of help
on this one, so if anyone has any thoughts - they would be greatly
appreciated.

Many thanks! :)

Giles.

_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] IPv6 Match / Queue

Reply via email to