Project

General

Profile

Actions

Bug #14758

closed

``status_carp.php`` and ``diag_dump_states.php`` unresponsive with large state tables

Added by Kris Phillips about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
High
Category:
Web Interface
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
23.09
Release Notes:
Default
Affected Version:
2.7.0
Affected Architecture:
All

Description

When attempting to load the CARP Status Page or States Diagnostics page in pfSense Plus when there is 2-3 Million State Table Entries present, the firewall will fail to load either page with a 504 Gateway Timed Out. This also happens when attempting to click the filtered state view link from a firewall rule to jump to the state table, regardless of how many states are in the filtered result (tested with just 1 state on a rule and still resulted in a timeout).

This also results in a single process spawning for pctl with the flags -vvss that consumes 100% CPU usage one one core. Every time you try to load one of these pages, it will spawn a new process and consume another CPU core at 100%. This will continue until all cores are consumed, if the end user continues to try and load these pages, until the webConfigurator crashes. These processes will not kill themselves and continue to exist until either killed with the "kill [pid]" command or rebooting the firewall.

An example of this:
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 11 177.3 0.0 0 192 - RNL 14:59 5611:03.85 [idle]
root 25046 100.0 8.0 3167392 2630076 - R 23:22 55:35.18 /sbin/pfctl -vvss
root 28261 100.0 8.0 3167392 2629760 - R 23:52 26:02.90 /sbin/pfctl -vvss
root 41707 100.0 8.0 3167392 2629668 - R 00:02 15:47.69 /sbin/pfctl -vvss
root 42569 100.0 8.0 3167392 2630168 - R 23:14 63:15.87 /sbin/pfctl -vvss
root 60190 100.0 8.0 3167392 2630340 - R 23:02 76:06.92 /sbin/pfctl -vvss
root 66730 100.0 8.0 3167392 2629956 - R 23:32 45:36.44 /sbin/pfctl -vvss
root 70156 100.0 8.0 3167392 2629536 - R 00:16 1:13.20 /sbin/pfctl -vvss
root 93064 100.0 8.0 3167392 2630284 - R 23:06 71:31.45 /sbin/pfctl -vvss
root 98465 100.0 8.0 3173024 2634816 - RN 17:05 432:55.05 /sbin/pfctl -ss
root 45574 99.7 8.0 3167392 2630224 - R 23:10 67:21.82 /sbin/pfctl -vvss

At the very least these processes should "stop trying" after the PHP code fails to complete, but we should also optimize the PHP code to not try and load the entire state table every single time these pages are loaded.

Actions

Also available in: Atom PDF