I recently upgraded to PF 13.1 and have had a few issues, most of which I have
been able to resolve. The only lingering issue I'm aware of is with IP Tables,
but I'm not positive it's something to be concerned about because PF is working.
My PF server is ZEN running in VMWare ESXi the assigned hardware is 32 GB of
RAM, 4 Processors and 300 GB of disk space, my network consists of about 30
nodes authenticating with 802.1x (Active Directory and MAC Auth for non-AD
devices) memory and disk space are fine but the CPU is constantly at 5Ghz of
consumption (is that normal for the processor?)
Please see the details from packetfence.log and from systemctl status
packetfence-iptables below:
packetfence.log:
Jan 25 09:43:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(14) INFO:
[mac:[undef]] getting security_events triggers for accounting cleanup
(pf::accounting::acct_maintenance)
Jan 25 09:43:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(17) INFO:
[mac:[undef]] processed 0 security_events during security_event maintenance
(1706193787.30847 1706193787.36479)
(pf::security_event::security_event_maintenance)
Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: saving existing
iptables to /usr/local/pf/var/iptables.bak (pf::iptables::iptables_save)
Jan 25 09:43:15 fence packetfence[562283]: -e(562283) WARN: We are using IPSET
(pf::ipset::iptables_generate)
Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: flushing iptables
(pf::ipset::iptables_flush_mangle)
Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: Adding Forward
rules to allow connections to the OAuth2 Providers and passthrough.
(pf::iptables::generate_passthrough_rules)
Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: Adding IP based
passthrough for connectivitycheck.gstatic.com
(pf::iptables::generate_passthrough_rules)
Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: Adding NAT
Masquerade statement. (pf::iptables::generate_passthrough_rules)
Jan 25 09:43:15 fence packetfence[562283]: -e(562283) INFO: restoring iptables
from /usr/local/pf/var/conf/iptables.conf (pf::iptables::iptables_restore)
Jan 25 09:43:15 fence packetfence[562283]: -e(562283) WARN: Problem trying to
run command: LANG=C /sbin/iptables-restore <
/usr/local/pf/var/conf/iptables.conf called from iptables_restore. Child exited
with non-zero value 2 (pf::util::pf_run)
Jan 25 09:44:06 fence pfperl-api-docker-wrapper[562338]: pfperl-api(19) INFO:
[mac:[undef]] processed 0 security_events during security_event maintenance
(1706193846.10912 1706193846.12021)
(pf::security_event::security_event_maintenance)
Jan 25 09:44:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(15) INFO:
[mac:[undef]] Using 300 resolution threshold
(pf::pfcron::task::cluster_check::run)
Jan 25 09:44:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(14) INFO:
[mac:[undef]] getting security_events triggers for accounting cleanup
(pf::accounting::acct_maintenance)
Jan 25 09:44:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(15) INFO:
[mac:[undef]] All cluster members are running the same configuration version
(pf::pfcron::task::cluster_check::run)
Jan 25 09:44:16 fence packetfence[562283]: -e(562283) INFO: saving existing
iptables to /usr/local/pf/var/iptables.bak (pf::iptables::iptables_save)
Jan 25 09:44:16 fence packetfence[562283]: -e(562283) WARN: We are using IPSET
(pf::ipset::iptables_generate)
Jan 25 09:44:16 fence packetfence[562283]: -e(562283) INFO: flushing iptables
(pf::ipset::iptables_flush_mangle)
Jan 25 09:44:16 fence packetfence[562283]: -e(562283) INFO: Adding Forward
rules to allow connections to the OAuth2 Providers and passthrough.
(pf::iptables::generate_passthrough_rules)
Jan 25 09:44:16 fence packetfence[562283]: -e(562283) INFO: Adding IP based
passthrough for connectivitycheck.gstatic.com
(pf::iptables::generate_passthrough_rules)
Jan 25 09:44:16 fence packetfence[562283]: -e(562283) INFO: Adding NAT
Masquerade statement. (pf::iptables::generate_passthrough_rules)
Jan 25 09:44:16 fence packetfence[562283]: -e(562283) INFO: restoring iptables
from /usr/local/pf/var/conf/iptables.conf (pf::iptables::iptables_restore)
Jan 25 09:44:16 fence packetfence[562283]: -e(562283) WARN: Problem trying to
run command: LANG=C /sbin/iptables-restore <
/usr/local/pf/var/conf/iptables.conf called from iptables_restore. Child exited
with non-zero value 2 (pf::util::pf_run)
Jan 25 09:45:06 fence pfperl-api-docker-wrapper[562338]: pfperl-api(13) INFO:
[mac:[undef]] processed 0 security_events during security_event maintenance
(1706193906.17069 1706193906.18816)
(pf::security_event::security_event_maintenance)
Jan 25 09:45:06 fence pfperl-api-docker-wrapper[562338]: pfperl-api(12) INFO:
[mac:[undef]] getting security_events triggers for accounting cleanup
(pf::accounting::acct_maintenance)
Jan 25 09:45:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(13) INFO:
[mac:[undef]] Using 300 resolution threshold
(pf::pfcron::task::cluster_check::run)
Jan 25 09:45:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(13) INFO:
[mac:[undef]] All cluster members are running the same configuration version
(pf::pfcron::task::cluster_check::run)
Jan 25 09:45:16 fence packetfence[562283]: -e(562283) INFO: saving existing
iptables to /usr/local/pf/var/iptables.bak (pf::iptables::iptables_save)
Jan 25 09:45:16 fence packetfence[562283]: -e(562283) WARN: We are using IPSET
(pf::ipset::iptables_generate)
Jan 25 09:45:16 fence packetfence[562283]: -e(562283) INFO: flushing iptables
(pf::ipset::iptables_flush_mangle)
Jan 25 09:45:17 fence packetfence[562283]: -e(562283) INFO: Adding Forward
rules to allow connections to the OAuth2 Providers and passthrough.
(pf::iptables::generate_passthrough_rules)
Jan 25 09:45:17 fence packetfence[562283]: -e(562283) INFO: Adding IP based
passthrough for connectivitycheck.gstatic.com
(pf::iptables::generate_passthrough_rules)
Jan 25 09:45:17 fence packetfence[562283]: -e(562283) INFO: Adding NAT
Masquerade statement. (pf::iptables::generate_passthrough_rules)
Jan 25 09:45:17 fence packetfence[562283]: -e(562283) INFO: restoring iptables
from /usr/local/pf/var/conf/iptables.conf (pf::iptables::iptables_restore)
Jan 25 09:45:17 fence packetfence[562283]: -e(562283) WARN: Problem trying to
run command: LANG=C /sbin/iptables-restore <
/usr/local/pf/var/conf/iptables.conf called from iptables_restore. Child exited
with non-zero value 2 (pf::util::pf_run)
Jan 25 09:46:06 fence pfperl-api-docker-wrapper[562338]: pfperl-api(15) INFO:
[mac:[undef]] processed 0 security_events during security_event maintenance
(1706193966.18047 1706193966.2038)
(pf::security_event::security_event_maintenance)
Jan 25 09:46:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(15) INFO:
[mac:[undef]] getting security_events triggers for accounting cleanup
(pf::accounting::acct_maintenance)
Jan 25 09:46:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(16) INFO:
[mac:[undef]] Using 300 resolution threshold
(pf::pfcron::task::cluster_check::run)
Jan 25 09:46:07 fence pfperl-api-docker-wrapper[562338]: pfperl-api(16) INFO:
[mac:[undef]] All cluster members are running the same configuration version
(pf::pfcron::task::cluster_check::run)
Jan 25 09:46:17 fence packetfence[562283]: -e(562283) INFO: saving existing
iptables to /usr/local/pf/var/iptables.bak (pf::iptables::iptables_save)
systemctl status packetfence-iptables:
● packetfence-iptables.service - PacketFence Iptables configuration
Loaded: loaded (/lib/systemd/system/packetfence-iptables.service; enabled;
vendor preset: enabled)
Active: active (running) since Wed 2024-01-24 14:15:55 EST; 1h 17min ago
Main PID: 562283 (perl)
Tasks: 1 (limit: 38474)
Memory: 188.3M
CPU: 46.312s
CGroup: /packetfence.slice/packetfence-iptables.service
└─562283 /usr/bin/perl -I/usr/local/pf/lib
-I/usr/local/pf/lib_perl/lib/perl5 -Mpf::db -Mpf::services::manager::iptables
-e my $db ; while(!$db) { eval { $db = db_ping() } ; sleep 1 } ;
pf::services::manager::iptables->new()->startAndCheck()
Jan 24 15:33:11 fence.sixmoore.com sudo[752059]: pam_unix(sudo:session):
session closed for user root
Jan 24 15:33:11 fence.sixmoore.com sudo[752062]: root : PWD=/ ; USER=root ;
COMMAND=/usr/sbin/ipset --add pfsession_passthrough 172.217.13.99,443
Jan 24 15:33:11 fence.sixmoore.com sudo[752062]: pam_unix(sudo:session):
session opened for user root(uid=0) by (uid=0)
Jan 24 15:33:11 fence.sixmoore.com sudo[752062]: pam_unix(sudo:session):
session closed for user root
Jan 24 15:33:11 fence.sixmoore.com packetfence[562283]: -e(562283) INFO: Adding
NAT Masquerade statement. (pf::iptables::generate_passthrough_rules)
Jan 24 15:33:11 fence.sixmoore.com packetfence[562283]: -e(562283) INFO:
restoring iptables from /usr/local/pf/var/conf/iptables.conf
(pf::iptables::iptables_restore)
Jan 24 15:33:11 fence.sixmoore.com perl[752066]: iptables-restore v1.8.7
(nf_tables): invalid port/service `%%httpd_collector_port%%' specified
Jan 24 15:33:11 fence.sixmoore.com perl[752066]: Error occurred at line: 62
Jan 24 15:33:11 fence.sixmoore.com perl[752066]: Try `iptables-restore -h' or
'iptables-restore --help' for more information.
Jan 24 15:33:11 fence.sixmoore.com packetfence[562283]: -e(562283) WARN:
Problem trying to run command: LANG=C /sbin/iptables-restore <
/usr/local/pf/var/conf/iptables.conf called from iptables_restore. Child exited
with non-zero value 2 (pf::util::pf_run)
I looked at the /usr/local/pf/var/conf/iptables.conf file and line 62 reads: -A
input-management-if --protocol tcp --match tcp --dport %%httpd_collector_port%%
--jump ACCEPT
Thanks
Dave
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
