root's crontab rc.filter_configure_sync added after force pfblockerNG

totowentsouth

I have an SG-4860 running pfsense 22.01-RELEASE with pfBlockerNG-devel 3.1.0_1.

I applied the patch to fix the IP block logging not working which fixes the IP block logging issue.
https://www.reddit.com/r/pfBlockerNG/comments/sk9txi/ip_block_logging_not_working_pfsense_260rc/hvv99s1/?utm_source=reddit&utm_medium=web2x&context=3

After running a forced update to pfblocker, /etc/crontab has an additonal entry:

0,15,30,45     *       *       *       *       root    /etc/rc.filter_configure_sync

I can comment out the line, run a force update in pfblocker, and the above line will return. A timestamp located above the block of entries matches the end of the pfblocker update run. For example:

# pfSense specific crontab entries
# Created: February 24, 2022, 10:29 pm

I don't know exactly when this entry originated. However, I updated to 22.01 on Feburary 18. Yesterday, I observed 1+ second ping spikes every 15 minutes and diagnosed to the entry in /etc/crontab.

Does anyone know why this line would be added to /etc/crontab in the first place? Is this a pfblockerng issue?

I have not uninstalled and reinstalled pfblockerng-devel; I hope to avoid that but am willing to as a last resort. I believe this entry is not re-added during the scheduled cron of pfblockerng updates.

Also: I have pfsense CE 2.6.0-RELEASE on a protectli device running the same pfblockerng-devel and the same IP block logging patch applied. That setup does not have the offending entry in /etc/crontab nor does the entry get added during a force update.

Any clues, thoughts or suggestions?

Thanks!

totowentsouth

Inspection of the pfsense source code, I have traced things down to this line being installed due to time based rules. If this means rules that have a time to enable/disable, then it's not new for my rule set. And this line has never been in /etc/crontab "indefinitely" in the past (b/c ping spikes every 15 minutes were not encountered - or maybe the spike was low enough to be overloooked).

pfsense/etc/inc/filter.inc filter_configure_sync() .. appears to call filter_tdr_install(true) if time_based_rules is true; filter_tdr_install_cron() does the evil deed..

totowentsouth

https://redmine.pfsense.org/issues/11636
the outcome of the action described in here is exactly the issue I'm seeing..
this issue is referenced in pfsense/etc/inc/filter.inc

totowentsouth

I removed the schedule from all firewall rules that had a schedule and now pfblockerng updates (and all else) does not add the undesirable entry to /etc/crontab.

I shall not make use of scheduled rules. Probably the high ping spike is due at least in part to the number of rules.

totowentsouth

This is reported here: https://redmine.pfsense.org/issues/12827
Forum discussion: https://forum.netgate.com/topic/169955/latency-spikes-during-filter-reload-ce-2-6-0