When specifying a probability attribute on a rule and the value is out of
range, pfctl reports the problem using the internal probability value, an
unsigned greater than UINT_MAX, rather than what you actually specified.
The accepted range is either a number between 0 and 1 or between 0 and 100
if followed by a % character (to specify the value in percent).
The pfctl rule output already display the probability value in percent:
# pfctl -sr | grep prob
pass in on em0 inet proto icmp all keep state probability 50%
so I think the error message should contain the value in percent also.
Below transcript is using current pfctl and patched pfctl (diff below):
# grep prob pf.conf
pass in on $int_if inet proto icmp all probability 1.1
# pfctl -f pf.conf
pf.conf:11: invalid probability: 4724464025.000000
pfctl: Syntax error in config file: pf rules not loaded
# /usr/src/sbin/pfctl/obj/pfctl -f pf.conf
pf.conf:11: invalid probability: 1.1 (110%)
pfctl: Syntax error in config file: pf rules not loaded
#
Maybe something like this?
Index: parse.y
===================================================================
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.594
diff -u -p -r1.594 parse.y
--- parse.y 24 Sep 2010 09:17:46 -0000 1.594
+++ parse.y 13 Dec 2010 16:28:43 -0000
@@ -2208,7 +2208,8 @@ filter_opt : USER uids {
p = floor($2 * UINT_MAX + 0.5);
if (p < 0.0 || p > UINT_MAX) {
- yyerror("invalid probability: %lf", p);
+ yyerror("invalid probability: %g (%g%%)", $2,
+ $2 * 100);
YYERROR;
}
filter_opts.prob = (u_int32_t)p;
