Project

General

Profile

Actions

Bug #7231

closed

Web UI does not properly remove priq shaping rules when deleting an interface which causes subsequent rule failures without warning in the UI

Added by John Barfield about 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Web Interface
Target version:
Start date:
02/07/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.x
Affected Architecture:

Description

Reproduce:

1. Provision pfSense 2.3.2 with 1 WAN and multiple LAN's.

2. Configure priq traffic shaper to limit traffic on all 3 LAN's.

3. Delete one of the LAN interfaces

actual Behavior:
The WebUI will allow you to delete the interface without any errors. Additionally it will allow you to create new IP aliases, NAT, and firewall rules. You can apply the rules but they never work leaving the end user to believe that they've mis-configured the new rules.

Expected Behavior:
One would expect the web UI to warn you that there are shaping rules "in use" and to remove them before deleting the interface.

Where I found the error:

I kept putting new rules in the GUI and then checking: pfctl -sr and not seeing my rules getting applied additionally I could not get an NAT translation to take place when checking pfctl -ss. These two things led me to believe that pf was not getting updated.

Upon further digging through system.log I noticed this error:
Feb 7 20:53:46 pfSense php-fpm52875: /rc.filter_configure_sync: New alert found: There were error(s) loading the rules: /tmp/rules.debug:53: syntax error - The line in question reads [53]: altq on priq bandwidth 157286.4Kb queue { qLink, qACK, qP2P, qOthersHigh, qOthersLow }

Checking:
/tmp/rules.debug on line 53 I found the following:

altq on  priq bandwidth 157286.4Kb queue {  qLink,  qACK,  qP2P,  qOthersHigh,  qOthersLow  }
queue qLink on vtnet4 priority 2 qlimit 500 priq ( ecn , default )
queue qACK on vtnet4 priority 6 priq ( ecn )
queue qP2P on vtnet4 priority 1 priq ( ecn )
queue qOthersHigh on vtnet4 priority 4 priq ( ecn )
queue qOthersLow on vtnet4 priority 3 priq ( ecn )

The line that starts with "altq" should have an interface name between 'on' and 'priq'. the UI deleted the interface name but it did not delete the lines altogether. The proper priq config would look like this:

altq on vtnet5 priq bandwidth 157286.4Kb queue {  qLink,  qACK,  qP2P,  qOthersHigh,  qOthersLow  }
queue qLink on vtnet5 priority 2 qlimit 500 priq ( ecn , default )
queue qACK on vtnet5 priority 6 priq ( ecn )
queue qP2P on vtnet5 priority 1 priq ( ecn )
queue qOthersHigh on vtnet5 priority 4 priq ( ecn )
queue qOthersLow on vtnet5 priority 3 priq ( ecn )

To solve:
I went to the web UI and deleted my priority queue shaping rules then re-applied the firewall config. I then re-created my traffic shaping rules.

After recreating the shaping rules I updated my NAT and rules configs and now all NAT and firewall rules work as expected.

Actions

Also available in: Atom PDF