src icon indicating copy to clipboard operation
src copied to clipboard
verified publisher icon opnsense

pf: `filterlog -l` stalls while DIOCGETRULES/DIOCGETRULE

Open Monviech opened this issue 1 month ago • 1 comments

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

  • [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

In some setups with thousands of firewall rules, aliases and NAT rules, and 100+ vlans, filterlog -l can cause an interruption in the network stack for some (yet) unknown reason.

This causes "lagg" interfaces and their connected "vlan" devices to briefly change state to down and back up in a 3-4s time window.

The same test was done with pfctl -rs labels which did not cause any interruption.

Describe the solution you like

Improve filterlog -l to behave the same way as pfctl -rs labels

Describe alternatives you considered

None

Additional context

None

Monviech avatar Nov 24 '25 08:11 Monviech

Workaround using a filterlog that does not read rule labels:

# pkg add -f https://pkg.opnsense.org/FreeBSD:14:amd64/snapshots/misc/filterlog-0.7_2.pkg

Test kernel for read lock change:

# opnsense-update -zkr 25.7.8-ioctl

fichtner avatar Nov 27 '25 11:11 fichtner

fixed in 25.7.10.

fichtner avatar Dec 17 '25 12:12 fichtner