Firewall log - prevent memory exhaustion using the new streaming functions. closes https://github.com/opnsense/core/issues/6680

2026-03-14 08:34:39 +00:00 · 2023-11-22 21:55:25 +01:00 · 2023-11-22 21:55:25 +01:00 · cee33f5393
commit cee33f5393
parent 28b99101d4
3 changed files with 24 additions and 11 deletions
--- a/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/Api/LogController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Diagnostics/Api/LogController.php
@ -52,8 +52,8 @@ class LogController extends ApiControllerBase
        ]);

        $backend = new Backend();
+        $this->sessionClose();
        if ($this->request->isPost() && substr($name, -6) == 'Action') {
-            $this->sessionClose();
            if ($action == "clear") {
                $backend->configdpRun("system clear log", array($module, $scope));
                return ["status" => "ok"];
@ -98,17 +98,20 @@ class LogController extends ApiControllerBase
                    $severities = is_array($severities) ? implode(",", $severities) : $severities;
                    $severities = $filter->sanitize($severities, "query");
                }
-                $response = $backend->configdpRun("system diag log", [
+                $response = $backend->configdpStream("system diag log_stream", [
                    0, 0, $searchPhrase, $module, $scope, $severities
                ]);
-                $this->response->setRawHeader("Content-Type: text/csv");
-                $this->response->setRawHeader("Content-Disposition: attachment; filename=" . $scope . ".log");
-                foreach (json_decode($response, true)['rows'] as $row) {
-                    printf("%s\t%s\t%s\t%s\n", $row['timestamp'], $row['severity'], $row['process_name'], $row['line']);
-                }
+                header('Content-Type: text/csv');
+                header("Content-Disposition: attachment; filename=" . $scope . ".log");
+                header("Content-Transfer-Encoding: binary");
+                header("Pragma: no-cache");
+                header("Expires: 0");
+                ob_end_flush();
+                rewind($response);
+                fpassthru($response);
                return;
            }
        }
-        return array();
+        return [];
    }
 }
--- a/src/opnsense/scripts/syslog/queryLog.py
+++ b/src/opnsense/scripts/syslog/queryLog.py
@ -123,12 +123,16 @@ if __name__ == '__main__':
                        if len(severity) == 0 or record['severity'] is None or record['severity'] in severity:
                            result['total_rows'] += 1
                            if (len(result['rows']) < limit or limit == 0) and result['total_rows'] >= offset:
-                                result['rows'].append(record)
+                                if inputargs.output == 'json':
+                                    result['rows'].append(record)
+                                else:
+                                    print("%(timestamp)s\t%(severity)s\t%(process_name)s\t%(line)s" % record)
                            elif limit > 0 and result['total_rows'] > offset + limit:
                                # do not fetch data until end of file...
                                break
            if limit > 0 and result['total_rows'] > offset + limit:
                break

-    # output results
-    print(ujson.dumps(result))
+    # output results (when json)
+    if inputargs.output == 'json':
+        print(ujson.dumps(result))
--- a/src/opnsense/service/conf/actions.d/actions_system.conf
+++ b/src/opnsense/service/conf/actions.d/actions_system.conf
@ -10,6 +10,12 @@ parameters:--limit %s --offset %s --filter %s  --module %s --filename %s --sever
 type:script_output
 message:Show log

+[diag.log_stream]
+command:/usr/local/opnsense/scripts/syslog/queryLog.py
+parameters:--limit %s --offset %s --filter %s  --module %s --filename %s --severity %s --output text
+type:stream_output
+message:Stream log
+
 [clear.log]
 command:/usr/local/opnsense/scripts/syslog/clearlog.php
 parameters:-m%s -f%s