Bug #8904
closedShellcmd: pfBlocker's earlyshellcmd is being removed at boot
0%
Description
The Shellcmd package is incorrectly removing the pfBlocker early shellcmd entry at each boot.
--- /conf/backup/config-1537114650.xml 2018-09-16 17:18:01.326025000 +0100 +++ /conf/backup/config-1537114681.xml 2018-09-16 17:18:30.646898000 +0100 @@ -255,7 +255,6 @@ </acb> <shellcmd>/conf/WGXepc64 -l green</shellcmd> <earlyshellcmd>/usr/local/bin/php-cgi -f /usr/local/bin/apply_patches.php</earlyshellcmd> - <earlyshellcmd>/usr/local/pkg/pfblockerng/pfblockerng.sh aliastables</earlyshellcmd> <afterfilterchangeshellcmd></afterfilterchangeshellcmd> </system> <interfaces> @@ -940,8 +939,8 @@ <sequence>system_information:col1:open:0,interfaces:col2:open:0,services_status:col2:open:0,gateways:col2:open:0,ipsec:col2:open:0,pfblockerng:col3:open:0,suricata_alerts:col3:open:0</sequence> </widgets> <revision> - <time>1537114650</time> - <description><![CDATA[(system): pfBlockerNG: saving DNSBL changes]]></description> + <time>1537114681</time> + <description><![CDATA[(system): [shellcmd] Successfully (re)synced shellcmd configuration.]]></description> <username>(system)</username> </revision> <openvpn>
pfBlocker then adds it back.
--- /conf/backup/config-1537119130.xml 2018-09-16 18:33:03.136679000 +0100 +++ /conf/backup/config-1537119183.xml 2018-09-16 18:33:05.281034000 +0100 @@ -256,6 +256,7 @@ <shellcmd>/conf/WGXepc64 -l green</shellcmd> <earlyshellcmd>/usr/local/bin/php-cgi -f /usr/local/bin/apply_patches.php</earlyshellcmd> <earlyshellcmd>echo "test-earlyshellcmd"</earlyshellcmd> + <earlyshellcmd>/usr/local/pkg/pfblockerng/pfblockerng.sh aliastables</earlyshellcmd> <afterfilterchangeshellcmd></afterfilterchangeshellcmd> </system> <interfaces> @@ -940,8 +941,8 @@ <sequence>system_information:col1:open:0,interfaces:col2:open:0,services_status:col2:open:0,gateways:col2:open:0,ipsec:col2:open:0,pfblockerng:col3:open:0,suricata_alerts:col3:open:0</sequence> </widgets> <revision> - <time>1537119130</time> - <description><![CDATA[(system): [shellcmd] Successfully (re)synced shellcmd configuration.]]></description> + <time>1537119183</time> + <description><![CDATA[(system): pfBlockerNG: saving earlyshellcmd]]></description> <username>(system)</username> </revision> <openvpn>
This results in multiple config changes and hence multiple backups to ACB.
The pfBlocker early shellcmd does not appear in Services > Shellcmd even though it is in config.xml.
This doesn't happen in 2.4.3p1.
Tested in pfSense-2.4.4.r.20180914.1530. Shellcmd package 1.0.5 pfBlocker package 2.2.5_12
Updated by Jim Pingle over 5 years ago
On install, shellcmd imports the items from the earlyshellcmd tags and reformats them into the shellcmd package settings. From then on it writes the earlyshellcmd/shellcmd/etc from its own settings, it always clobbers what isn't in its own settings. It will pull in the entries on install when the "import" function is run, but not after.
Thus, if you install shellcmd after pfblocker it would work but if you install shellcmd first it would never show up. If you upgrade/reinstall shellcmd after pfblocker it would pick it up.
I have tried a few different techniques but I have not yet come up with any great workaround.
I can force an import on sync but then it doesn't appear until you make some unrelated change that triggers a shellcmd package sync. There isn't a means by which the page can run the import before the item list page shows up. It can import before the edit form but then that means the list is blank, and when you click 'add' it's pre-filled with the pfBlocker info, which is also super confusing.
The best solution I've come up with so far would be for pfBlocker to add the earlyshellcmd both to the place it does now and also into the shellcmd package settings under $config['installedpackages']['shellcmdsettings']['config']
rather than only adding the <earlyshellcmd>
tag.
For now, if you do not see the pfblocker earlyshellcmd in the list, reinstall the shellcmd package and check again.
Updated by Jim Pingle over 5 years ago
- Status changed from New to Feedback
- Affected Architecture All added
- Affected Architecture deleted (
)
A previous fix to shellcmd to address PHP errors changed it from using references to using a copy of the config, which apparently caused the import process to fail. After some testing with @stevew we confirmed that moving back to (properly initialized) references let it work as expected again.
You can still potentially fall into a trap where if you install pfBlocker after shellcmd it won't show up in the list, but a reinstall of shellcmd will fix it for sure now.
pfBlocker should probably add the extra tags expected by the shellcmd package to make sure it doesn't get lost, but it's better off now than it was.
Fix is in shellcmd pkg version 1.0.5_1
Updated by BBcan177 . over 5 years ago
Added Shellcmd package functionality to pfBlockerNG-devel here:
https://github.com/pfsense/FreeBSD-ports/pull/569/commits/f2a2cfdfc8689164f07f82d40e1a802643ebd914
Updated by Steve Wheeler over 5 years ago
- Status changed from Feedback to Resolved
Fixed in current packages versions:
[2.4.4-RELEASE][admin@xtm5.stevew.lan]/root: pkg info -x pfsense pfSense-2.4.4_1 pfSense-Status_Monitoring-1.7.6 pfSense-base-2.4.4_1 pfSense-default-config-serial-2.4.4_1 pfSense-kernel-pfSense-2.4.4_1 pfSense-pkg-LCDproc-0.10.6_2 pfSense-pkg-Shellcmd-1.0.5_1 pfSense-pkg-System_Patches-1.2_1 pfSense-pkg-iperf-2.0.5.5_3 pfSense-pkg-openvpn-client-export-1.4.18 pfSense-pkg-pfBlockerNG-devel-2.2.5_19 pfSense-pkg-suricata-4.0.13_11 pfSense-rc-2.4.4_1 pfSense-repo-2.4.4 pfSense-upgrade-0.60 php72-pfSense-module-0.65