Firewall syntax error on applying limiter



  • Good time of the day!

    There is a problem with the firewall when it comes to limiting the bandwidth.
    Bug initially reported here: https://forum.pfsense.org/index.php?topic=74238.msg407759#msg407759

    Steps to reproduce:
    1. Create a limiter in "Firewall - Traffic Shaper - Limiter". In my case I made a simple 10 Mbps limit for all traffic, without any extra parameters, called it "10Mbps"
    2. Assign the created limiter to any rule as the "In" queue (in "Advanced features - In/Out")
    3. Save the rule and apply changes

    Expected results:
    Bandwidth is limited to 10 Mbps for traffic matching the rule, no errors are produced.

    Actual result:
    Rules are not applied, an error occurs:

    [ There were error(s) loading the rules: /tmp/rules.debug:145: syntax error - The line in question reads [145]: pass in quick on $LAN inet from 192.168.1.0/24 to any tracker 1396966525 keep state dnpipe ( 1) label USER_RULE: Default allow LAN to any rule]
    

    Reproducible on a clean install of:

    2.2-ALPHA (amd64)
    built on Sun Apr 6 20:41:07 CDT 2014

    with the simplest configuration of two interfaces (WAN, LAN).



  • I made a bug for this one, but I believe the devs are already aware of it:

    https://redmine.pfsense.org/issues/3579



  • I get the same thing with the same sort of simple configuration.
    /tmp/rules.limiter has:

    pipe 1 config  bw 1Mb
    
    

    When I do

    /sbin/ipfw /tmp/rules.limiter
    

    there is no error, and a pipe is created:

    /sbin/ipfw pipe list
    00001:   1.000 Mbit/s    0 ms burst 0
    q131073  50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
     sched 65537 type FIFO flags 0x0 0 buckets 0 active
    
    

    I will stop there. I have a feeling that I need to be able to see what has happened in "pf". I have no access to pfSense-tools, so I cannot dig any deeper. Would love to help, but have been locked out. Very frustrating on an "open-source" project.
    (And it has been so long waiting for this to be resolved that I am going to keep putting comments like this whenever I run up against the wall. Initially I was happy to wait a bit and see, but it has been too long. I sent a request for access over a week ago and have heard nothing, not even an acknowledgement that my request was received.)



  • Fixed.
    Newer snapshots will not have this issue anymore.



  • 2.2-ALPHA (i386)
    built on Mon Apr 14 15:07:07 CDT 2014
    FreeBSD 10.0-STABLE

    A simple limiter rule like this is loaded without error:

    pass  in  quick  on $LAN inet proto tcp  from 10.49.211.0/24 to any tracker 1397532620 flags S/SA keep state  dnpipe ( 1)  label "USER_RULE: Limit DHCP devices"
    

    Working, thanks



  • Confirmed working as well, thank you fox the fix!

    2.2-ALPHA (amd64)
    built on Wed Apr 16 18:14:39 CDT 2014
    FreeBSD 10.0-STABLE



  • Also working here, thanks.