pfSense

This is the return of Bug #11550 in pfSense 2.5.2.

I originally filed my report as a reply to that bug, but I realized later that I probably should have filed a new bug since the original had already been marked as resolved. Apologies for the duplication. My original text is below.

Given that this regression results in a completely broken firewall after upgrading, I've marked it as "urgent", but I hope that's not overreaching on my part.

I'm afraid I have to agree with Roman Nik that this bug is still around in 2.5.2-RELEASE.

I just upgraded from 2.4.5_1 to 2.5.2, and I got bitten by this same bug. After the upgrade, the firewall came back up essentially rule-less because pfctl segfaulted while parsing the ruleset. I first noticed while inspecting the system logs post-upgrade, and I freaked out when I saw internet bots banging on my pfSense SSH port, which is normally completely firewalled off from the WAN interface! After disabling the WAN for safety, I was able to debug the problem and found that the shaper rules were the cause of the segfault.

# cat /etc/version*
2.5.2-RELEASE
Fri Jul 02 15:33:00 EDT 2021
fd0f54f44b5ceb91c4579ed9536de58b8925836d
0

# pfctl -vf /tmp/rules.debug
[...snip...]
set loginterface igb1
set skip on { pfsync0 }
altq on igb0 fairq bandwidth 6.25Mb tbrsize 6000 queue { WAN_main }
Segmentation fault (core dumped)

Note that the symptoms are identical to those originally reported here: ALTQ using FAIRQ causes a segfault on rule parse.

Once I disabled both of my shapers in pfSense and reloaded the config, the firewall came up normally, and a pfctl -vf /tmp/rules.debug would return without error.

I've attached the shaper section of my pfSense config for reference.