[SOLVED] Problem with rc.update_bogons script

[html]

I have an OPNSense Box (17.1.4) filtering Traffic between an Office Network and an Automation Network. The OPNSense Box has no Internet Connection, so updating Bogon Networks will not work and is not necessary in my case. There is no option for disabling the update, so I set the frequency to monthly.

On the 1st of the month I got a big CPU Load, over 30000 states for udp from 127.0.0.1 to 127.0.0.1:53 and the log file is filling up with following messages:
root: rc.update_bogons is starting up
root: rc.update_bogons is beginning the update cycle
root: Could not download https://pkg.opnsense.org/FreeBSD:11:amd64/17.1/sets/bogons.txz

I think the rc.update_bogons script generates an endless loop when there is no connection to the pkg.opnsense.org server. The sleep command isn't executed when the script is relaunched from an PROC_ERROR. Some parts of the script:

if [ "${COMMAND}" = "cron" ]; then
    VALUE=$(jot -r 1 1 900)
    echo "rc.update_bogons is sleeping for ${VALUE} seconds" | logger
    sleep ${VALUE}
fi

if [ ! -f ${WORKDIR}/bogons.txz ]; then
    echo "Could not download ${URL}" | logger
    PROC_ERROR=1

if [ -n "${PROC_ERROR}" ]; then
    # Relaunch and sleep
    sh /usr/local/etc/rc.update_bogons &
    exit
fi

A nice feature would be a setting for update frequency: Daily, Weekly, Monthly and never

[franco]

Hi html,

Sorry, I missed this:

https://github.com/opnsense/core/commit/141741

To apply this locally:

# opnsense-patch 141741

This loop bug was introduced in November 2016, though the behaviour was never different before that.

https://github.com/opnsense/changelog/blob/a4008b74e0315b1fd9fda7ef042ec7e297237a77/doc/16.7/16.7.8#L42

Maybe we should just stop after the third attempt?


Cheers,
Franco

[html]

That was fast!

In my (special) case the script would run forever. So yes, we should stop it after some attempts.

Cheers,
Helmut

[franco]

Hi Helmut,

Sure, thanks for reporting.

I have removed the fork altogether and set the retries to 5. It will be shipped in 17.1.6.

https://github.com/opnsense/core/commit/6832082


Cheers,
Franco

[html]

The problem still exists on my machine (17.1.6) without internet access but hopefully I found the reason now. The parameters for the fetch command needs a litte modification.

FETCH="fetch -aqT 30" should be changed to FETCH="fetch -qT 30"

With the -a parameter fetch automatically retries to get the bogons file, so the rest of the script will never be executed. Tested the scipt without the "a" parameter on my system and it works now as expected.

Cheers,
Helmut

[franco]

Hi Helmut,

Oh, thanks for tracking this down! I commited it just now[1], will be part of 17.1.7.


Cheers,
Franco

[1] https://github.com/opnsense/core/commit/9939ff2