Topics

1

24.1 Legacy Series / CPU usage /usr/local/opnsense/scripts/filter/update_tables.py

« on: June 25, 2024, 11:47:40 pm »

Hi all,

When an alias is changed via Firewall -> Aliases -> Apply, the script /usr/local/opnsense/scripts/filter/update_tables.py is run from the cron every minute to make sure that pf actually picks up the change, as I understand it.
However, running this script takes about 10 to 20 seconds during which the CPU gets stressed quite severly. This behavior is seen for quite some years now and I have not been able to fix this.
I did a python trace on the update_tables.py script and it is executing the /usr/local/opnsense/scripts/filter/lib/alias/pf.py file for example about 13 million times. That surely explains the CPU load, I guess. I do have some aliases (of 'URL Table (IPs)' type) some of which are quite big (more than 200,000 IP addresses). Am I doing something wrong with my firewall alias settings? I have seen some other mentions by people seeing similar behavior with the update_tables.py script, but unfortunately not with a fix.
Hopefully someone can help me with odd behavior. If I need to provide more information, please let me know. Thank you very much.

2

Intrusion Detection and Prevention / Apply policy from the commandline

« on: November 14, 2021, 02:44:18 pm »

Hi,

I try to apply a suricata policy from the GUI but keep getting errors. It seems like a timeout of some sorts. The configd.log says the following:

unable to sendback response [OK ] for [ids][install][['rules']] {6fc08c2d-8d49-491a-8cdf-ac51ec4a6fc2}, message was Traceback (most recent call last):   File "/usr/local/opnsense/service/modules/processhandler.py", line 202, in run     self.connection.sendall(('%s\n' % result).encode()) BrokenPipeError: [Errno 32] Broken pipe

Is there a way to apply a policy using the console, by using configctl?

Thanks.