pfSense » pfSense Packages

Jim Pingle wrote in #note-1:

PIMD has options to not behave that way.

Sounds like what you really want is to have PIMD set to "Bind to None" and then define only the interfaces it should operate upon using the Interfaces tab. Then it shouldn't attach to anything you didn't tell it to do. Then it's also your responsibility to maintain that list.

Granted, pimd shouldn't cause a panic no matter what it does. That would require more investigation, however. We'd need to see the full crash dump file from the panics if you can reproduce it again.

1) I've got PIMD set that way already.
2) The problem is, when the interfaces are removed in the GUI, there's no process to scan related configurations and eliminate interfaces.
3) I do have crash dump files if it would help. But I suspect the PIMD author can fix this just knowing that invalid interfaces might exist in the pimd.conf file.

• The Cert Manager knows where certs are in use across all of pfSense. (That was an earlier bug, when one one pkg was missed!)
• Perhaps the Interface Manager needs to know where interfaces are in use?

I realize that's a painful thought. :(

The base system has no way to scan/inform packages about an interface being removed, it's up to the admin to maintain that. The package could maybe be better about not adding missing interfaces to the configuration, but really it's doing exactly what it was told to do.

Adding a plugin system to the base OS and packages is a much more complex request that is a feature and not a bug. The certificate plugin for packages only informs the base system that it's in use, it doesn't trigger any actions as a consequence. Preventing a user from deleting an interface in use by a package might be desirable, but again that's a feature request and not a bug.

PIMD should exit with an error if the configuration includes an interface not present in the operating system. PIMD can't help that the OS panics, but it should at least sanity check its own configuration to ensure it's binding to an interface that exists.

I faced an issue similar to this with the Snort and Suricata packages some time back. I handled it there by always checking with the pfSense system (via a system call to obtain the "real" interface name) prior to using the interface in the Snort or Suricata configuration file. The pfSense system returns an empty or NULL string when you ask for the "real" interface name of a non-existent interface.

Perhaps the GUI portion of the PIMD package (assuming there is one) could be similarly modified ??

pimd 0.0.3_5 on 23.01.b.20221217.1429 has bind to all/none and interface binding always/never settings available but no interface selection is visible in drop down

Jordan Greene wrote in #note-5:

pimd 0.0.3_5 on 23.01.b.20221217.1429 has bind to all/none and interface binding always/never settings available but no interface selection is visible in drop down

That isn't related to this, it's a different issue likely a result of needing to be updated for PHP 8.1. I opened #13774 for that.

0.0.3_6 pimd on 24.03 beta seems to function correctly with regards to bindings and interface selection and the status window indicated activity accordingly