Firewall syntax error on applying limiter

Forst · Apr 8, 2014, 2:37 PM

Good time of the day!

There is a problem with the firewall when it comes to limiting the bandwidth.
Bug initially reported here: https://forum.pfsense.org/index.php?topic=74238.msg407759#msg407759

Steps to reproduce:
1. Create a limiter in "Firewall - Traffic Shaper - Limiter". In my case I made a simple 10 Mbps limit for all traffic, without any extra parameters, called it "10Mbps"
2. Assign the created limiter to any rule as the "In" queue (in "Advanced features - In/Out")
3. Save the rule and apply changes

Expected results:
Bandwidth is limited to 10 Mbps for traffic matching the rule, no errors are produced.

Actual result:
Rules are not applied, an error occurs:

[ There were error(s) loading the rules: /tmp/rules.debug:145: syntax error - The line in question reads [145]: pass in quick on $LAN inet from 192.168.1.0/24 to any tracker 1396966525 keep state dnpipe ( 1) label USER_RULE: Default allow LAN to any rule]

Reproducible on a clean install of:

2.2-ALPHA (amd64)
built on Sun Apr 6 20:41:07 CDT 2014

with the simplest configuration of two interfaces (WAN, LAN).

ingmthompson · Apr 11, 2014, 1:30 PM

I made a bug for this one, but I believe the devs are already aware of it:

https://redmine.pfsense.org/issues/3579

phil.davis · Apr 12, 2014, 10:19 AM

I get the same thing with the same sort of simple configuration.
/tmp/rules.limiter has:

pipe 1 config  bw 1Mb

When I do

/sbin/ipfw /tmp/rules.limiter

there is no error, and a pipe is created:

/sbin/ipfw pipe list
00001:   1.000 Mbit/s    0 ms burst 0
q131073  50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail
 sched 65537 type FIFO flags 0x0 0 buckets 0 active

I will stop there. I have a feeling that I need to be able to see what has happened in "pf". I have no access to pfSense-tools, so I cannot dig any deeper. Would love to help, but have been locked out. Very frustrating on an "open-source" project.
(And it has been so long waiting for this to be resolved that I am going to keep putting comments like this whenever I run up against the wall. Initially I was happy to wait a bit and see, but it has been too long. I sent a request for access over a week ago and have heard nothing, not even an acknowledgement that my request was received.)

eri-- · Apr 14, 2014, 8:08 PM

Fixed.
Newer snapshots will not have this issue anymore.

phil.davis · Apr 15, 2014, 3:34 AM

2.2-ALPHA (i386)
built on Mon Apr 14 15:07:07 CDT 2014
FreeBSD 10.0-STABLE

A simple limiter rule like this is loaded without error:

pass  in  quick  on $LAN inet proto tcp  from 10.49.211.0/24 to any tracker 1397532620 flags S/SA keep state  dnpipe ( 1)  label "USER_RULE: Limit DHCP devices"

Working, thanks

Forst · Apr 17, 2014, 7:41 AM

Confirmed working as well, thank you fox the fix!

2.2-ALPHA (amd64)
built on Wed Apr 16 18:14:39 CDT 2014
FreeBSD 10.0-STABLE

ingmthompson · Apr 17, 2014, 5:35 PM

Also working here, thanks.