Bug #6747: pfctl - getting high cpu usage - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.07 Plus - All Closed Issues
24.07 Plus - All Open Issues
24.07 Plus - Feedback Issues
24.07 Plus - Needs Attention/Work
24.07 Plus - New/Confirmed/In Progress Issues
24.07 Plus - Pull Request Review
24.07 Plus - Waiting on Merge
24.07 Target - All Closed Issues
24.07 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #6747

closed

pfctl - getting high cpu usage

Added by Rafael Cunha over 7 years ago. Updated over 4 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Category:

Operating System

Target version:

Start date:

08/29/2016

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

Affected Architecture:

Description

When firewall logs is enabled on dashboard and update interval is set to a small time (5 seconds, ie), pfctl starts to get high cpu usage. This causes a packet loss problem.

Version 2.3.2-RELEASE (amd64)
built on Tue Jul 19 12:44:43 CDT 2016
FreeBSD 10.3-RELEASE-p5

The system is on the latest version.

CPU Type Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
16 CPUs: 2 package(s) x 4 core(s) x 2 SMT threads

History
Notes
Property changes

Actions

Copy link

Updated by Rafael Cunha over 7 years ago

In case anyone need:

pfctl -sr | wc -l
8707

Actions

Copy link

Updated by Rafael Cunha over 7 years ago

When pfblockerng counter widget is enabled too.

`-- sh -c /sbin/pfctl -vv -sr | /usr/bin/grep 'pfB_'

Actions

Copy link

Updated by Pi Ba over 7 years ago

As discussed on IRC, his original pfctl usage was caused by the line below:

`-- sh -c /sbin/pfctl -vvPsr | /usr/bin/egrep '^@[0-9]+\\(1470855395\\)[[:space:]]pass[[:space:]].*[[:space:]]log[[:space:]]'

This seems to be responsible for reading rule descriptions, but as far as i can tell those are not shown on the widget anywhere.. Though are included in a 'data-content=' attribute for which i yet have to find any purpose on the widget.

Rafael will try and see if he edits the /usr/local/www/widgets/widgets/log.widget.php to nolonger read those descriptions if at least the first issue is 'gone'. And check if there are no negative sideeffects from that. If he confirms it works alright ill send a pullrequest removing it completely, if there are no objections ofc.. :).

Actions

Copy link

Updated by Rafael Cunha over 7 years ago

Pi Ba, does this edition include pfblockerng widget problem too?

Actions

Copy link

Updated by BBcan177 . over 7 years ago

egrep is very memory aggressive...

The pfBlockerNG widget runs this line which doesn't use egrep:

pfctl -vv -sr | grep pfB

I don't think there is any concern for high cpu usage with the pfBlockerNG widget...

Actions

Copy link

Updated by Rafael Cunha over 7 years ago

It only happens with firewall log widget and pfblockerng widget. The resources consumption (I'm not 100% sure if it's memory or cpu) gets high and pfSense starts losing packets. There's about 5000 hosts in this network and several rules. When I use command 'top' to monitor resources usage it's possible to see pfctl with high cpu usage.

Actions

Copy link