Firewall syntax error on applying limiter
-
Good time of the day!
There is a problem with the firewall when it comes to limiting the bandwidth.
Bug initially reported here: https://forum.pfsense.org/index.php?topic=74238.msg407759#msg407759Steps to reproduce:
1. Create a limiter in "Firewall - Traffic Shaper - Limiter". In my case I made a simple 10 Mbps limit for all traffic, without any extra parameters, called it "10Mbps"
2. Assign the created limiter to any rule as the "In" queue (in "Advanced features - In/Out")
3. Save the rule and apply changesExpected results:
Bandwidth is limited to 10 Mbps for traffic matching the rule, no errors are produced.Actual result:
Rules are not applied, an error occurs:[ There were error(s) loading the rules: /tmp/rules.debug:145: syntax error - The line in question reads [145]: pass in quick on $LAN inet from 192.168.1.0/24 to any tracker 1396966525 keep state dnpipe ( 1) label USER_RULE: Default allow LAN to any rule]
Reproducible on a clean install of:
2.2-ALPHA (amd64)
built on Sun Apr 6 20:41:07 CDT 2014with the simplest configuration of two interfaces (WAN, LAN).
-
I made a bug for this one, but I believe the devs are already aware of it:
https://redmine.pfsense.org/issues/3579
-
I get the same thing with the same sort of simple configuration.
/tmp/rules.limiter has:pipe 1 config bw 1Mb
When I do
/sbin/ipfw /tmp/rules.limiter
there is no error, and a pipe is created:
/sbin/ipfw pipe list 00001: 1.000 Mbit/s 0 ms burst 0 q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail sched 65537 type FIFO flags 0x0 0 buckets 0 active
I will stop there. I have a feeling that I need to be able to see what has happened in "pf". I have no access to pfSense-tools, so I cannot dig any deeper. Would love to help, but have been locked out. Very frustrating on an "open-source" project.
(And it has been so long waiting for this to be resolved that I am going to keep putting comments like this whenever I run up against the wall. Initially I was happy to wait a bit and see, but it has been too long. I sent a request for access over a week ago and have heard nothing, not even an acknowledgement that my request was received.) -
Fixed.
Newer snapshots will not have this issue anymore. -
2.2-ALPHA (i386)
built on Mon Apr 14 15:07:07 CDT 2014
FreeBSD 10.0-STABLEA simple limiter rule like this is loaded without error:
pass in quick on $LAN inet proto tcp from 10.49.211.0/24 to any tracker 1397532620 flags S/SA keep state dnpipe ( 1) label "USER_RULE: Limit DHCP devices"
Working, thanks
-
Confirmed working as well, thank you fox the fix!
2.2-ALPHA (amd64)
built on Wed Apr 16 18:14:39 CDT 2014
FreeBSD 10.0-STABLE -
Also working here, thanks.