Project

General

Profile

Bug #9179

NAT reflection fix implemented for #8604 is causing WebUI and XMLRPC to fail on slave

Added by Valentin N 6 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
NAT Reflection
Target version:
-
Start date:
12/07/2018
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.4_1
Affected Architecture:

Description

Ref: https://github.com/pfsense/pfsense/commit/6f8e648f5c88e04166539ab27872b13dfd587cb8 which fixed #8604

Whenever XMLRPC sync is triggered the slave no longer responds to the WebUI or XMLRPC (sometimes it takes a 2nd XMLRPC sync for this to trigger). The work-around is to restart PHP-FPM. Rolling back the commit above fixes the problem in my case.

It seems the call to get_interface_ip() is expensive (1 second per call), which causes each NAT reflection rule generation to take roughly 3 second to complete. With a large number of rules and gateways this seems to be a problem since the filter reload takes up to 2 minutes generate the rules. With the commit above reverted the filter reload takes less than 5 seconds.

I suspect there is a more optimal way to check if the interface has an IP assigned other than calling get_interface_ip(). I am not familiar with the code and, although this might not be generally true (to be verified), from my experiments it seems that get_interface_ip() returns the same value as $ifsubnet_ip, which could be substituted in place of the call.

Also available in: Atom PDF