pfBlockerNG 2.2.5_27 cron update and traffic loss
-
Recently updated to 2.2.5_27, and since then I've noticed traffic loss (established connections failing) during the hourly update process.
System logs:
Dec 8 10:06:30 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Dec 8 10:00:00 php [pfBlockerNG] Starting cron process.Things start failing right around the "no changes to firewall rules" message, and after about ~30-45sec previous connections re-establish (new TCP sessions), and new connections can establish.
Sometimes, but not always these messages are seen as well:
sonewconn: pcb 0xfffff8022bb13000: Listen queue overflow: 8 already in queue awaiting acceptance (1 occurrences)Haven't noticed a spike in CPU, memory, etc. during this process.
Any thoughts regarding where to look further?
-
@asdjklfjkdslfdsaklj said in pfBlockerNG 2.2.5_27 cron update and traffic loss:
and after about ~30-45sec previous connections re-establish
Let me guess, that is the time unbound (the dns cache + resolver) takes to restart ?
And will it's going down, and restarts, during this tame : no more DND cache, no more answers to DNS requests.
( compare captivity of your logs mentioned above with the DNS log at the same time )
-
Looks like "kill states" being enabled was killing things. This wasn't happening previously, so need to ascertain whether or not an erroneous item in a list is causing this to fail before recovering, or something to do with pfBlockerNG itself.
As an aside, no, no issues with name resolution.
-
@asdjklfjkdslfdsaklj said in pfBlockerNG 2.2.5_27 cron update and traffic loss:
As an aside, no, no issues with name resolution.
Well, I'm still curious to know what the time is between "unbound stop" and "unbound started".
-
@Gertjan said in pfBlockerNG 2.2.5_27 cron update and traffic loss:
@asdjklfjkdslfdsaklj said in pfBlockerNG 2.2.5_27 cron update and traffic loss:
As an aside, no, no issues with name resolution.
Well, I'm still curious to know what the time is between "unbound stop" and "unbound started".
None, given "Resolver Live Sync" is enabled.
