Quick option on Floating Queue rule
-
Hi,
I have setup the following rules:
pfctl -sr | grep queue
match quick inet proto tcp from 192.168.1.100 to any label "USER_RULE" queue qTestWhen I do a wget from 192.168.1.100, download traffic goes to LAN.qTest and the Acks go to WAN.qTest as expected.
When I add a rule for traffic going out to port HTTP, resulting in this floating rules:
pfctl -sr | grep queue
match quick inet proto tcp from 192.168.1.100 to any label "USER_RULE" queue qTest
match proto tcp from any to any port = http label "USER_RULE" queue qHighall the wget traffice from 192.168.1.100 suddenly goes to qHigh !
Does the Quick-option not prevent further evaluating Floating Queue rules after a match?
Seems to be the same issue as here: http://redmine.pfsense.org/issues/1304
-
Last I knew, the quick option did not work on match/queue rules, only pass/block.
-
Maybe the Docs should be updated then
http://doc.pfsense.org/index.php/What_are_Floating_Rules%3F
Floating rules are parsed before rules on other interfaces. Thus, if a packet matches a floating rule and the Quick option is active on that rule, pfsense will not attempt to filter that packet against any rule on any other interface.
-
Added a note to the page about that.
-
jimp,
Just to clarify: does the statement "Rules using the Queue action do not work with 'quick' checked." mean that the rule is completely ignored or just that the 'quick' option is ignored if checked?
-
I believe it is the latter. But I don't have a way to test it quickly to say for certain.
-
My first post states that:
I have setup the following rules:
pfctl -sr | grep queue
match quick inet proto tcp from 192.168.1.100 to any label "USER_RULE" queue qTestWhen I do a wget from 192.168.1.100, download traffic goes to LAN.qTest and the Acks go to WAN.qTest as expected.
So I can confirm the queue-rule with quick set still works!
-
Yes, you are right.
Maybe jimp could change the wording of the statement to avoid any confusion (at least for me).Thanks