5. Firewall syntax error on applying limiter

Firewall syntax error on applying limiter

  • B

    Good time of the day!

    There is a problem with the firewall when it comes to limiting the bandwidth.
    Bug initially reported here: https://forum.pfsense.org/index.php?topic=74238.msg407759#msg407759

    Steps to reproduce:
    1. Create a limiter in "Firewall - Traffic Shaper - Limiter". In my case I made a simple 10 Mbps limit for all traffic, without any extra parameters, called it "10Mbps"
    2. Assign the created limiter to any rule as the "In" queue (in "Advanced features - In/Out")
    3. Save the rule and apply changes

    Expected results:
    Bandwidth is limited to 10 Mbps for traffic matching the rule, no errors are produced.

    Actual result:
    Rules are not applied, an error occurs:

    [ There were error(s) loading the rules: /tmp/rules.debug:145: syntax error - The line in question reads [145]: pass in quick on $LAN inet from 192.168.1.0/24 to any tracker 1396966525 keep state dnpipe ( 1) label USER_RULE: Default allow LAN to any rule]

    Reproducible on a clean install of:

    2.2-ALPHA (amd64)
    built on Sun Apr 6 20:41:07 CDT 2014

    with the simplest configuration of two interfaces (WAN, LAN).

    0
  • I

    I made a bug for this one, but I believe the devs are already aware of it:

    https://redmine.pfsense.org/issues/3579

    0
  • P

    I get the same thing with the same sort of simple configuration.
    /tmp/rules.limiter has:

    pipe 1 config  bw 1Mb

    When I do

    /sbin/ipfw /tmp/rules.limiter

    there is no error, and a pipe is created:

    /sbin/ipfw pipe list
00001:   1.000 Mbit/s    0 ms burst 0
q131073  50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
 sched 65537 type FIFO flags 0x0 0 buckets 0 active

    I will stop there. I have a feeling that I need to be able to see what has happened in "pf". I have no access to pfSense-tools, so I cannot dig any deeper. Would love to help, but have been locked out. Very frustrating on an "open-source" project.
    (And it has been so long waiting for this to be resolved that I am going to keep putting comments like this whenever I run up against the wall. Initially I was happy to wait a bit and see, but it has been too long. I sent a request for access over a week ago and have heard nothing, not even an acknowledgement that my request was received.)

    0
  • E

    Fixed.
    Newer snapshots will not have this issue anymore.

    0
  • P

    2.2-ALPHA (i386)
    built on Mon Apr 14 15:07:07 CDT 2014
    FreeBSD 10.0-STABLE

    A simple limiter rule like this is loaded without error:

    pass  in  quick  on $LAN inet proto tcp  from 10.49.211.0/24 to any tracker 1397532620 flags S/SA keep state  dnpipe ( 1)  label "USER_RULE: Limit DHCP devices"

    Working, thanks

    0
  • B

    Confirmed working as well, thank you fox the fix!

    2.2-ALPHA (amd64)
    built on Wed Apr 16 18:14:39 CDT 2014
    FreeBSD 10.0-STABLE

    0
  • I

    Also working here, thanks.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy