Project

General

Profile

Actions

Bug #11551

closed

SG-3100 with pfBlockerNG doesn't pass traffic

Added by Viktor Gurov 5 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
pfBlockerNG
Target version:
-
Start date:
02/26/2021
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:

Description

SG-3100 appliance doesn't pass traffic on boot and I see error messages in `dmesg`:

pid 833 (php-cgi), jid 0, uid 0: exited on signal 11 (core dumped)

sometimes it won't load WebGUI and I need to restart php-fpm + webconfigurator from the console/ssh

but if I disable pfBlockerNG and reboot, it works fine,

If I enable pfBlockerNG (DNSBL python or unbound mode) it stops passing traffic again and I see:

pid 357 (php-fpm), jid 0, uid 0: exited on signal 11 (core dumped)

same issue if I disable all pfBlockerNG IP feeds

pfSense+ 21.02/21.02-p1
unbound 1.13.1
pfBlockerNG-devel 3.0.0_10

see also #11444

php core dumps:
https://drive.google.com/drive/folders/1xwLzDKy3aQbJejLi8MmEpeb8qcGieKBK


Files

pfblockerng.xml (30.1 KB) pfblockerng.xml Viktor Gurov, 02/26/2021 08:14 AM
Actions #1

Updated by Jim Pingle 5 months ago

The PHP segfault may be similar to, or the same as, #11466

Actions #2

Updated by Bill Meeks 5 months ago

Jim Pingle wrote:

The PHP segfault may be similar to, or the same as, #11466

I definitely agree. Something weird is up with PHP on 32-bit ARM hardware (or maybe all 32-bit hardware, but there are no longer x86 images to test with).

I worked all day yesterday on the Snort issue on an SG-3100. I put notes in the Issue #11466 ticket. I "fixed" the Snort problem, but I don't think I actually fixed the real problem. So I'm not willing to claim that issue can be closed yet.

Actions #3

Updated by Darin May about 2 months ago

The patch contained at https://redmine.pfsense.org/issues/11466#note-32 has stopped the PHP crashes. So this bug could be marked as dependent upon it for a perm fix.

Actions #4

Updated by Jim Pingle about 2 months ago

The patch should fix the behavior, but the package could also implement the fix on its own using ini_set("pcre.jit", "0"); in PHP on 32-bit ARM multi-core systems before performing PCRE operations. Doing it in the package would allow systems without the patch installed to benefit from the change.

Actions #5

Updated by Jim Pingle about 2 months ago

See also: #12004

Actions #6

Updated by Jim Pingle about 1 month ago

  • Status changed from New to Closed

Closing this as it appears to be the same root cause as #11466 which has a workaround applied as #12004 -- Users can wait for that to be integrated into a release or apply it manually using the instructions on that issue.

If you apply that workaround properly and still have problems, report them on the forum at https://forum.netgate.com/topic/164725/netgate-3100-php-crashes and include any error messages displayed in the GUI or log, crash reports, and other relevant data.

Actions

Also available in: Atom PDF