Pfblocker packets (hits) counter has gone up since 2.2 update (multiplier added)

JohnPFsense

Hi,

Since I updated to pfsense 2.2 the packet counter in the pfblocker dashboard widget goes up very high. All counts end in 0 so 199 becomes 1990 and 5 becomes 50. Everything seems to work ok. It seems to multiply the counts by 10 ??? when I compare the counter to firewall logs.
I see that soon pfblockerNG will be available so Im not really sure if its worth the trouble to find a fix assuming that pfblockerNG has a accurate counter.

John

LinuxTracker

@JohnPFsense:

Since I updated to pfsense 2.2 the packet counter in the pfblocker dashboard widget goes up very high.

I have that too.  Values don't seem to ever reset, not even on filter reload.
They do reset on pfBlocker reload which has me wondering if my lists are updating.

marcelloc

As pfblockerng is away ahead,  I'll test it and probably remove pfblocker from 2.2 package list.

doktornotor

@marcelloc:

As pfblockerng is away ahead,  I'll test it and probably remove pfblocker from 2.2 package list.

Sadly, the merged stuff for pfBlockerNG does not include fixes for this.

Cino

@doktornotor:

@marcelloc:

As pfblockerng is away ahead,  I'll test it and probably remove pfblocker from 2.2 package list.

Sadly, the merged stuff for pfBlockerNG does not include fixes for this.

what do you mean? It has the code within the package.. it would be ideal for it to already be in pfsense base tho

doktornotor

I mean it's been merged one month ago and needs a refresh to include fixes for the issue I linked (and others).

marcelloc

Pfblockerng is affected by ip range function change  too?

doktornotor

@marcelloc:

Pfblockerng is affected by ip range function change  too?

Yes. (Not current BBCan's repo, been fixed there for a couple of weeks… the pfSense repo stuff is outdated.)

marcelloc

I'll ping bbcan to see if I can help…

BBcan177

Yes the merged copy that is in the pfSense repo uses the existing range to cidr function. But there have been some recent commits that seemed to have affected this function from converting some of the IBlock lists. There are days when some lists would crash PHP and some days where it wouldn't… So i suspect that when a certain range is converted that it will crash PHP...

Stilez has a Pull Request for a new range to cidr function that also has IPv6 capability. I use this function to convert the Maxmind IPv6 Country Database into cidr format...

https://github.com/pfsense/pfsense/pull/974

So when this issue arose, i reference this new function instead. But this is only available in my private repo.

To make use of this new function, i need to add:

File: pfblockerng.inc

require_once ("/usr/local/www/pfblockerng/pfblockerng.php");

and modify these two lines to reference the new Stilez function which already exists in the pfblockerng.php file.

1766:  $a_cidr = ip_range_to_subnet_array**_temp**($matches[1],$matches[2]);
    1984:  $a_cidr = ip_range_to_subnet_array**_temp**($matches[1],$matches[2]);

or wait for the devs to fix the range to cidr function, or merge Stilez function.

BBcan177

@marcelloc:

As pfblockerng is away ahead,  I'll test it and probably remove pfblocker from 2.2 package list.

The issue with the widget for the pfBlocker code in 2.2, is the pfctl Label format has an extra CSV column:

This is the existing line ( works for 2.1.5 and below ) :

if (preg_match("/USER_RULE: (\w+).*\s+\d+\s+(\d+)\s+\d+\s+\d+\s+\d+\s+\d+\s+\d+/",$line,$matches))

For 2.2, it needs to use the following line:

if (preg_match("/USER_RULE: (\w+).*\s+\d+\s+(\d+)\s+\d+\s+\d+\s+\d+\s+\d+\s+\d+\s+\d+/", $line, $matches)) 

LinuxTracker

@BBcan177:

For 2.2, it needs to use the following line:

if (preg_match("/USER_RULE: (\w+).*\s+\d+\s+(\d+)\s+\d+\s+\d+\s+\d+\s+\d+\s+\d+\s+\d+/", $line, $matches)) 

I edited /usr/local/www/widgets/widgets/pfBlocker.widget.php and replaced the code  with BBcan177s and my packet counts seem more reasonable.

Thanks BB!

BBcan177

@LinuxTracker:

Is that last bracket supposed to be there? If so, where does it close?

I modified my original post above. I have that in an if/else statement to use the correct line depending on 2.1.5 / 2.2 version of pfSense.

marcelloc

Merge to pfSense may take longer then package commit.

Util it gets  merged, isn't better to send a fix to the package?

BBcan177

Here is the Pull Request to provide a temporary fix for the IBlock Range to CIDR issue:

https://github.com/pfsense/pfsense-packages/pull/796

marcelloc

Great.  I'll send a pull request to get pfblocker working on 2.2 util ng is released.

JohnPFsense

BBcan177s solution works great.
Turns out editing the php file from pfsense was very easy.

I started my post as just an observation. Never expected a fix in less than 24 hrs. Amazing  8)

John

marcelloc

@JohnPFsense:

Never expected a fix in less than 24 hrs. Amazing  8)

Community helping community  :)

BBcan177

@marcelloc:

@JohnPFsense:

Never expected a fix in less than 24 hrs. Amazing  8)

Community helping community  :)

Actually less than 3 Hrs!  8)

garthk

Any idea if/when the PFBlocker package will be available or should I switch to the new beta?

Thanx,
Garth