Project

General

Profile

Actions
Copy link

Bug #14409

open

pfBlockerNG Cron Redundantly Updates pfSense Configuration When DNSBL is Disabled Due to Faulty Virtual IP Count

Added by LTC Tech 12 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
pfBlockerNG
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
23.01
Affected Architecture:

Description

pfBlockerNG: 3.2.0_4
pfSense Plus: 23.01

Related forum post:
https://forum.netgate.com/topic/174231/pfblockerng-fills-pfsense-config-history

Even though pfBlockerNG's DNSBL is disabled it checks for the presence of Virtual IPs matching DNSBL's description. It expects to find one (IPv4 only) or two (IPv4 and IPv6) Virtual IPs. When it does not find any VIPs (as DNSBL is disabled) it flips the $pfbupdate flag causing later code to write redundant changes to the pfSense config. This floods pfSense's Config History under Diagnostics -> Backup & Restore quickly overwriting legitimate history.

Relevant code:
https://github.com/pfsense/FreeBSD-ports/blob/1669285e76c1cbbdf0e08a74603537a955839139/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L2016

        // Validate DNSBL VIP address(es)
        $pfb['dnsbl_v6'] == 'on' ? $vip_count = 2 : $vip_count = 1;
        $result = array();
        foreach (array("inet {$pfb['dnsbl_vip']}", "inet6 ::{$pfb['dnsbl_vip']}") as $g_vip) {
            $g_vip = escapeshellarg($g_vip);
            exec("/sbin/ifconfig {$iface} | {$pfb['grep']} {$g_vip} 2>&1", $result, $retval);
        }
        if (count($result) != $vip_count) {
            $pfbupdate = TRUE;
        }

        // Update config.xml, if changes required
        if ($pfbupdate) {
            init_config_arr(array('nat', 'rule'));
            config_set_path('nat/rule', $new_nat);

            init_config_arr(array('virtualip', 'vip'));
            config_set_path('virtualip/vip', $new_vip);
            write_config('pfBlockerNG: saving DNSBL changes');
        }

I've come up with a patch that sets $vip_count to 0 if DNSBL is disabled. This causes the Virtual IP counts to match and avoids the config update.

--- a/src/usr/local/pkg/pfblockerng/pfblockerng.inc
+++ b/src/usr/local/pkg/pfblockerng/pfblockerng.inc
@@ -2013,7 +2013,12 @@
                }

                // Validate DNSBL VIP address(es)
-               $pfb['dnsbl_v6'] == 'on' ? $vip_count = 2 : $vip_count = 1;
+               if($mode == 'enabled') {
+                       $pfb['dnsbl_v6'] == 'on' ? $vip_count = 2 : $vip_count = 1;
+               }
+               else {
+                       $vip_count = 0;
+               }
                $result = array();
                foreach (array("inet {$pfb['dnsbl_vip']}", "inet6 ::{$pfb['dnsbl_vip']}") as $g_vip) {
                        $g_vip = escapeshellarg($g_vip);

I am not sure if this actually breaks DNSBL functionality as we don't use it. It may potentially break Virtual IP addition or removal.

Can someone with more knowledge of the code take a look?

Actions
Copy link

Also available in: Atom PDF