Date: Thu, 21 Mar 2013 00:13:03 +0100 From: Andreas Longwitz <longwitz@incore.de> To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: [patch] Reloading pf rules breaks connections on lo0 Message-ID: <514A427F.9050804@incore.de> In-Reply-To: <CAPBZQG19-ASoz-Cgd2bm9rJyqNw=kqHueKxvzwWgVFb62xJ5dg@mail.gmail.com> References: <5134C218.6060701@incore.de> <5149BE75.3040308@incore.de> <CAPBZQG19-ASoz-Cgd2bm9rJyqNw=kqHueKxvzwWgVFb62xJ5dg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for answer!
Am 20.03.2013 16:23, Ermal Luçi wrote:
> That is intended behavior.
What is intended bahavior, your reference is not clear to me.
> There is an option -m to merge the configs which should not break it.
Ok, but this option does never prevent pfctl from clearing all interface
option flags. If you run the command from the man page
echo "set loginterface fxp0" | pfctl -mf -
then every active running socket over lo0 breaks because the function
pfctl_clear_interface_flags() is called independent of the PF_OPT_MERGE
flag. In the example the option -m provokes that pfctl_load_logif() is
called as intended, but not pfctl_load_limit(), pfctl_load_timeout(),
pfctl_load_debug(), pfctl_load_hostid() and pfctl_file_fingerprints().
The lo0 breaking function pfctl_clear_interface_flags() is called when
the flag PFCTL_FLAG_OPTION is set. This is the case with option -O but
also if none of the options -N, -R, -A are set, thats a little bit
tricky. Therefore pfctl -N -R -A -f /etc/pf.conf never breaks lo0 but
does not exactly the same as pfctl -f /etc/pf.conf because the flag
PFCTL_FLAG_OPTION is not set.
Andreas Longwitz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?514A427F.9050804>