pfblockerNG 3.2.0_7 new process?

fireodo

Hi,

I see after the Update to 3.2.0_7 there is a new process:

24171  -  S        0:05,89 tail_pfb: system.fileargs (tail_pfb)

What could that be? "system.fileargs" sounds like some declaration is wrong ... or?

jrey

@fireodo

Interesting,

is tail_pfb (edit: distributed as) part of the pfblockerNG package?

on my test machine,
the timestamp on the tail_pfb file is more in line with the build/install of the 2.7.1 upgrade than it is with the install of _7 of pfBlockerNG

from what I quickly looked at for changes in _7 it appears to be a change of 1 line of code, related to a config_set_path typo

https://github.com/pfsense/FreeBSD-ports/commit/bd3ae22c8740dad7db80a893038990c83b55700f

https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-pfBlockerNG

the changes prior to that from _5 to _6 are stamped Aug 13

My test machine is virtual so I can roll back to before 2.7.1 and test, but no time to do that right now.

Edit 2: after a reboot on the virtual I actually see this: (so 2 of each)

Edit 3: the pkg does not appear to include this file (the contents of the pkg being).

pfSense-pkg-pfBlockerNG-3.2.0_7:
   /etc/inc/priv/pfblockerng.priv.inc
   /usr/local/pkg/pfblockerng.xml
   /usr/local/pkg/pfblockerng/dnsbl_tld
   /usr/local/pkg/pfblockerng/ip_pre_AWS_AF.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_ALL_REGIONS.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_AP.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_AP_EAST.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_AP_NORTHEAST.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_AP_SOUTH.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_AP_SOUTHEAST.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_CA.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_CN.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_CN_NORTH.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_CN_NORTHWEST.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_EU.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_EU_CENTRAL.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_EU_NORTH.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_EU_SOUTH.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_EU_WEST.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_IL.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_ME.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_ME_CENTRAL.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_ME_SOUTH.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_SA.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_US.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_US_EAST.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_US_GOV.sh
   /usr/local/pkg/pfblockerng/ip_pre_AWS_US_WEST.sh
   /usr/local/pkg/pfblockerng/pfb_dnsbl.doh.conf
   /usr/local/pkg/pfblockerng/pfb_dnsbl.safesearch.conf
   /usr/local/pkg/pfblockerng/pfb_dnsbl.youtube_restrict.conf
   /usr/local/pkg/pfblockerng/pfb_dnsbl.youtube_restrictmoderate.conf
   /usr/local/pkg/pfblockerng/pfb_py_hsts.txt
   /usr/local/pkg/pfblockerng/pfb_unbound.py
   /usr/local/pkg/pfblockerng/pfb_unbound_include.inc
   /usr/local/pkg/pfblockerng/pfblockerng.inc
   /usr/local/pkg/pfblockerng/pfblockerng.sh
   /usr/local/pkg/pfblockerng/pfblockerng_extra.inc
   /usr/local/pkg/pfblockerng/pfblockerng_install.inc
   /usr/local/pkg/pfblockerng/shallalist_global_usage
   /usr/local/pkg/pfblockerng/ut1_global_usage
   /usr/local/share/licenses/pfSense-pkg-pfBlockerNG-3.2.0_7/APACHE20
   /usr/local/share/licenses/pfSense-pkg-pfBlockerNG-3.2.0_7/LICENSE
   /usr/local/share/licenses/pfSense-pkg-pfBlockerNG-3.2.0_7/catalog.mk
   /usr/local/share/pfSense-pkg-pfBlockerNG/info.xml
   /usr/local/www/pfblockerng/pfBlockerNG.js
   /usr/local/www/pfblockerng/pfblockerng.php
   /usr/local/www/pfblockerng/pfblockerng_alerts.php
   /usr/local/www/pfblockerng/pfblockerng_asn.txt
   /usr/local/www/pfblockerng/pfblockerng_blacklist.php
   /usr/local/www/pfblockerng/pfblockerng_category.php
   /usr/local/www/pfblockerng/pfblockerng_category_edit.php
   /usr/local/www/pfblockerng/pfblockerng_dnsbl.php
   /usr/local/www/pfblockerng/pfblockerng_feeds.json
   /usr/local/www/pfblockerng/pfblockerng_feeds.php
   /usr/local/www/pfblockerng/pfblockerng_general.php
   /usr/local/www/pfblockerng/pfblockerng_ip.php
   /usr/local/www/pfblockerng/pfblockerng_log.php
   /usr/local/www/pfblockerng/pfblockerng_safesearch.php
   /usr/local/www/pfblockerng/pfblockerng_sync.php
   /usr/local/www/pfblockerng/pfblockerng_threats.php
   /usr/local/www/pfblockerng/pfblockerng_update.php
   /usr/local/www/pfblockerng/www/dnsbl_default.php
   /usr/local/www/pfblockerng/www/index.php
   /usr/local/www/widgets/include/widget-pfblockerng.inc
   /usr/local/www/widgets/javascript/pfblockerng.js
   /usr/local/www/widgets/widgets/pfblockerng.widget.php
   /usr/local/www/wizards/pfblockerng_wizard.inc
   /usr/local/www/wizards/pfblockerng_wizard.xml

fireodo

@jrey said in pfblockerNG 3.2.0_7 new process?:

is tail_pfb (edit: distributed as) part of the pfblockerNG package?

Not quite, its a exact copy of /usr/bin/tail ...

link('/usr/bin/tail', '/usr/bin/tail_pfb');

from what I quickly looked at for changes in _7 it appears to be a change of 1 line of code, related to a config_set_path typo

Thats what I saw too ... strange ...

But pfblocker runs flawless so let it be ...
(Good to know it not only me :-))

jrey

@fireodo

Where are you seeing the link being made?

on a system 2.7.1 where _7 has been installed

they are the same

however on a system running 23.09 and _6
they are clearly different files

so depending on where you see the link line you are showing being made it is different. as you correctly point out tail is part of the core initially

fireodo

@jrey said in pfblockerNG 3.2.0_7 new process?:

Where are you seeing the link being made?

in pfblockerng.inc

jrey

@fireodo

That link appears to be conditional,

// clog is not required for pfSense 2.5 and above
if (substr(trim(file_get_contents('/etc/version')), 0, 3) > '2.5' && file_exists('/usr/local/sbin/clog_pfb')) {
        unlink_if_exists('/usr/local/sbin/clog_pfb');
        unlink_if_exists('/usr/bin/tail_pfb');
        link('/usr/bin/tail', '/usr/bin/tail_pfb');
        restart_service('pfb_filter');
}

and the second part of the conditional (the file exists check)

ls: /usr/local/sbin/clog_pfb: No such file or directory

now also interesting is that on 23.09 and _6 the code is the same - the file does clog_pfb does not exist there either.

# Start pfBlockerNG Firewall filter Daemon
        if [ -e '/var/log/filter.log' ]; then
                /usr/bin/logger -p daemon.info -t "\${filter_type}" "[pfBlockerNG] Firewall Filter Service started"

                if [ "\${filter_type}" == 'clog_pfb' ]; then
                        /usr/local/sbin/clog_pfb -f /var/log/filter.log | /usr/local/bin/php_pfb -f /usr/local/pkg/pfblockerng/pfblockerng.inc filterlog &
                else
                        /usr/bin/tail_pfb -n0 -F /var/log/filter.log | /usr/local/bin/php_pfb -f /usr/local/pkg/pfblockerng/pfblockerng.inc filterlog &
                fi
        fi

have to check other files but within the pfblockerng.inc - linking and unlinking the file and starting tail_pfb are the only places the tail_pfb exists. and since the parameters there are static in the code. Very strange the process is showing this.
tail_pfb: system.fileargs

fireodo

@jrey said in pfblockerNG 3.2.0_7 new process?:

Very strange the process is showing this.
tail_pfb: system.fileargs

Here is the complete output of

ps ax | grep tail_pfb

23227  -  SC       0:11,83 /usr/bin/tail_pfb -n0 -F /var/log/filter.log
24171  -  S        0:08,95 tail_pfb: system.fileargs (tail_pfb)
86550  -  S        0:00,00 sh -c ps ax | grep tail_pfb 2>&1
86948  -  S        0:00,00 grep tail_pfb

jrey

@fireodo

yup similar to what I was showing above but at the time, I had two of each.

So, since I don't mind break/fixing this non-production test machine,
I manually broke the link, and rebooted.

pfblocker appears to be doing all the things I expect (still testing)
the filter.log is still populating,
the dashboard is till updating

and there is no tail_pfb process running at all. going to let this run a bit.

i can't see how since the link is conditional on both version and a file that doesn't exist it would ever link the files. and the same time it seems that the condition it want to make the link on is wrong. (I'll try that later)
think if should be version > "2.5" and NOT file exists) that being if the system is new and not running clog then link the file

fireodo

@jrey said in pfblockerNG 3.2.0_7 new process?:

yup similar to what I was showing above but at the time, I had two of each.

So, since I don't mind break/fixing this non-production test machine,
I manually broke the link, and rebooted.

Thanks anyway that you are spending your time ...

think if should be version > "2.5" and NOT file exists) that being if the system is new and not running clog then link the file

Yes that is the logic behind. pfsense above 2.5 is not using clog anymore so tail is what has to be used ...

EDIT:

On a Lab machine, output of "ps ax | grep tail_pfb" (same pfsense version 2.7.1) with pfblockerNG 3.2.0_6 (before update):

11696  -  S    0:00,00 sh -c ps ax | grep tail_pfb 2>&1
12025  -  S    0:00,00 grep tail_pfb
27636  -  S    0:00,01 /usr/bin/tail_pfb -n0 -F /var/log/filter.log

and after update to 3.2.0_7:

45276  -  SC    0:00,01 /usr/bin/tail_pfb -n0 -F /var/log/filter.log
45907  -  S     0:00,00 tail_pfb: system.fileargs (tail_pfb)
80307  -  S     0:00,00 sh -c ps ax | grep tail_pfb 2>&1
80650  -  S     0:00,00 grep tail_pfb