Project

General

Profile

Actions

Bug #12907

open

PIMD: Nonexistent interfaces should be hidden/disabled in pimd.conf before bringing up the service

Added by Pete Holzmann over 2 years ago. Updated 8 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
PIMD
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

At this point, pimd is unaware of nonexistent interfaces. This can lead to a kernel panic.
(My case: I removed newly-spared VLAN interfaces. In pfSense, having such unconfigured interface references normally is not an issue. But pim operates at the kernel level... :( )

This is not an easy bug to replicate: I ran for most of a year w/ no issues, then suddenly had reliable panics within two hours of any boot. Removing the unconfigured interfaces from the pimd config is what stabilized my system.

Also reported to pimd directly: https://github.com/troglobit/pimd/issues/218

Actions #1

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Feedback

PIMD has options to not behave that way.

Sounds like what you really want is to have PIMD set to "Bind to None" and then define only the interfaces it should operate upon using the Interfaces tab. Then it shouldn't attach to anything you didn't tell it to do. Then it's also your responsibility to maintain that list.

Granted, pimd shouldn't cause a panic no matter what it does. That would require more investigation, however. We'd need to see the full crash dump file from the panics if you can reproduce it again.

Actions #2

Updated by Pete Holzmann over 2 years ago

Jim Pingle wrote in #note-1:

PIMD has options to not behave that way.

Sounds like what you really want is to have PIMD set to "Bind to None" and then define only the interfaces it should operate upon using the Interfaces tab. Then it shouldn't attach to anything you didn't tell it to do. Then it's also your responsibility to maintain that list.

Granted, pimd shouldn't cause a panic no matter what it does. That would require more investigation, however. We'd need to see the full crash dump file from the panics if you can reproduce it again.

1) I've got PIMD set that way already.
2) The problem is, when the interfaces are removed in the GUI, there's no process to scan related configurations and eliminate interfaces.
3) I do have crash dump files if it would help. But I suspect the PIMD author can fix this just knowing that invalid interfaces might exist in the pimd.conf file.

A thought:
  • The Cert Manager knows where certs are in use across all of pfSense. (That was an earlier bug, when one one pkg was missed!)
  • Perhaps the Interface Manager needs to know where interfaces are in use?

I realize that's a painful thought. :(

Actions #3

Updated by Jim Pingle over 2 years ago

The base system has no way to scan/inform packages about an interface being removed, it's up to the admin to maintain that. The package could maybe be better about not adding missing interfaces to the configuration, but really it's doing exactly what it was told to do.

Adding a plugin system to the base OS and packages is a much more complex request that is a feature and not a bug. The certificate plugin for packages only informs the base system that it's in use, it doesn't trigger any actions as a consequence. Preventing a user from deleting an interface in use by a package might be desirable, but again that's a feature request and not a bug.

PIMD should exit with an error if the configuration includes an interface not present in the operating system. PIMD can't help that the OS panics, but it should at least sanity check its own configuration to ensure it's binding to an interface that exists.

Actions #4

Updated by Bill Meeks over 2 years ago

I faced an issue similar to this with the Snort and Suricata packages some time back. I handled it there by always checking with the pfSense system (via a system call to obtain the "real" interface name) prior to using the interface in the Snort or Suricata configuration file. The pfSense system returns an empty or NULL string when you ask for the "real" interface name of a non-existent interface.

Perhaps the GUI portion of the PIMD package (assuming there is one) could be similarly modified ??

Actions #5

Updated by Jordan G almost 2 years ago

pimd 0.0.3_5 on 23.01.b.20221217.1429 has bind to all/none and interface binding always/never settings available but no interface selection is visible in drop down

Actions #6

Updated by Jim Pingle almost 2 years ago

Jordan Greene wrote in #note-5:

pimd 0.0.3_5 on 23.01.b.20221217.1429 has bind to all/none and interface binding always/never settings available but no interface selection is visible in drop down

That isn't related to this, it's a different issue likely a result of needing to be updated for PHP 8.1. I opened #13774 for that.

Actions #7

Updated by Jordan G 8 months ago

0.0.3_6 pimd on 24.03 beta seems to function correctly with regards to bindings and interface selection and the status window indicated activity accordingly

Actions

Also available in: Atom PDF