kernel: pflog0: promiscuous mode dis-/enabled every 15 min

[chemlud]

Hi!

I'm on latest 64bit since this morning (comming from 19.1 latest) and on two installs I checked I get every 15 min:

Code Select Expand


Aug 11 16:06:30 kernel: pflog0: promiscuous mode enabled
Aug 11 16:06:30 kernel: pflog0: promiscuous mode disabled
Aug 11 16:01:01 kernel: pflog0: promiscuous mode enabled
Aug 11 16:01:01 kernel: pflog0: promiscuous mode disabled
Aug 11 15:46:01 kernel: pflog0: promiscuous mode enabled
Aug 11 15:46:01 kernel: pflog0: promiscuous mode disabled
Aug 11 15:31:01 kernel: pflog0: promiscuous mode enabled
Aug 11 15:31:01 kernel: pflog0: promiscuous mode disabled
Aug 11 15:16:01 kernel: pflog0: promiscuous mode enabled
Aug 11 15:16:01 kernel: pflog0: promiscuous mode disabled
Aug 11 15:01:01 kernel: pflog0: promiscuous mode enabled
Aug 11 15:01:01 kernel: pflog0: promiscuous mode disabled
Aug 11 14:46:01 kernel: pflog0: promiscuous mode enabled
Aug 11 14:46:01 kernel: pflog0: promiscuous mode disabled
Aug 11 14:31:01 kernel: pflog0: promiscuous mode enabled
Aug 11 14:31:01 kernel: pflog0: promiscuous mode disabled
Aug 11 14:16:01 kernel: pflog0: promiscuous mode enabled
Aug 11 14:16:01 kernel: pflog0: promiscuous mode disabled
Aug 11 14:01:01 kernel: pflog0: promiscuous mode enabled
Aug 11 14:01:01 kernel: pflog0: promiscuous mode disabled
Aug 11 13:46:01 kernel: pflog0: promiscuous mode enabled
Aug 11 13:46:01 kernel: pflog0: promiscuous mode disabled
Aug 11 13:31:01 kernel: pflog0: promiscuous mode enabled
Aug 11 13:31:01 kernel: pflog0: promiscuous mode disabled
Aug 11 13:16:01 kernel: pflog0: promiscuous mode enabled
Aug 11 13:16:01 kernel: pflog0: promiscuous mode disabled

Suricata running on both machines.

This event breaks transmissions between interfaces/across tunnels and is extremely annoying.

Only thing I found is this:

https://forum.opnsense.org/index.php?topic=13596.0

Any ideas what this means?

[guest15389]

I noticed the same thing recently:

Code Select Expand

pflog0: promiscuous mode disabled
pflog0: promiscuous mode enabled
pflog0: promiscuous mode disabled
pflog0: promiscuous mode enabled
pflog0: promiscuous mode disabled
pflog0: promiscuous mode enabled
pflog0: promiscuous mode disabled
pflog0: promiscuous mode enabled
pflog0: promiscuous mode disabled
pflog0: promiscuous mode enabled

[chemlud]

Any ideas? :-)

[franco]

Scheduled rules? It restarts the filter every 15 minutes...


Cheers,
Franco

[chemlud]

Nope, nothing scheduled to happen every 15 min here and it's on two systems with completely different configs...

[mimugmail]

Screenshot of cron please. For me it looks like rules update. Also Screenshot of running services

[chemlud]

Photos or it didn't happen :-p

Ok? :-)

[l0stnyc]

It took me a while to get registered on this forum but I also have the same issue every 15 mins at the same intervals at :01,:16,:31,:46.

The only cron job I have set up is to update IDS/IPS rules once a day at midnight. 

Other than that I cannot figure out what is triggering the enable/disable.  I appreciate any insight you guys can share.

[AdSchellevis]

looks like schedules, as Franco already said (1,16,31,46).

https://github.com/opnsense/core/blob/29b383c33b40196177e171d1575109ba684b6767/src/etc/inc/plugins.inc.d/pf.inc#L56-L63

[chemlud]

Who scheduled what? :-)

Hmmm:

Code Select Expand

if (isset($config['filter']['rule'])) {
        foreach ($config['filter']['rule'] as $rule) {
            if (empty($rule['disabled']) && !empty($rule['sched'])) {
                $jobs[]['autocron'] = array('/usr/local/etc/rc.filter_configure', '1,16,31,46');
                break;
            }
        }
    }

I'm not a coder, does that mean if there are ANY scheduled firewall rules at all, there will be filter reloads at 01, 16, 31 and 46?!?

[hirschferkel]

Since the update I get these messages every day, but there are no scheduled tasks running at all. these messages never appeared before the upgrade to the new release.

Code Select Expand

Aug 26 00:33:29 kernel: pflog0: promiscuous mode enabled
Aug 26 00:33:29 kernel: pflog0: promiscuous mode disabled
Aug 26 00:32:32 kernel: pflog0: promiscuous mode enabled
Aug 26 00:32:32 kernel: pflog0: promiscuous mode disabled
Aug 24 00:35:44 kernel: pflog0: promiscuous mode enabled
Aug 24 00:35:44 kernel: pflog0: promiscuous mode disabled
Aug 24 00:34:41 kernel: pflog0: promiscuous mode enabled
Aug 24 00:34:41 kernel: pflog0: promiscuous mode disabled

[AdSchellevis]

Usually this means that another process is trying to reload the filter over and over again, other log files and lines might shed some light on it. (backend, general in system).

Issues with a network card, leading to a lot of reconnects could be a possible reason.

[franco]

> I'm not a coder, does that mean if there are ANY scheduled firewall rules at all, there will be filter reloads at 01, 16, 31 and 46?!?

Yep, this is how firewall schedules have always been implemented in *sense minus a few modifications we've made over the years (most prominently not reloading at 00,15,30,45 because people would "test" and fail because their schedule missed or how states are labeled to be deleted from the system correctly).

The effort to rewrite this is not small -- not because the backend is hard but because the frontend with all its legacy JavaScript and current choices for data modelling is not very forthcoming to receive a facelift.


Cheers,
Franco

[chemlud]

Hi Franco, many thanks for your reply!

I have scheduled BLOCK rules (non-port specific, for selected LAN IPs) ABOVE of my (unscheduled, port-specific) ALLOW rules. With this setup in the past I had to clear all states to make the BLOCK work effectively.

Is in your experience a difference (any more?) in scheduled ALLOW vs. scheduled BLOCK rules regarding the clearing of states?

Many thanks in advance!