From owner-freebsd-rc@FreeBSD.ORG Sun Apr 3 19:34:06 2005 Return-Path: Delivered-To: freebsd-rc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C2A916A4CF; Sun, 3 Apr 2005 19:34:06 +0000 (GMT) Received: from mailhost.gigave.com (mailhost.gigave.com [38.113.228.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 166D443D31; Sun, 3 Apr 2005 19:34:06 +0000 (GMT) (envelope-from sean@sean.gigave.com) Date: Sun, 3 Apr 2005 12:34:05 -0700 From: Sean Chittenden To: rc@FreeBSD.org Message-ID: <20050403193405.GA41736@sean.gigave.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline cc: mlaier@FreeBSD.org Subject: rc.d/pf reload behavior odity... X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussion related to /etc/rc.d design and implementation. List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Apr 2005 19:34:06 -0000 Howdy. I'd like to wager that `rc.d/pf's reload` has an unintended behavior that I'd like to correct. Right now `rc.d/pf reload` does a -Fa which clears everything (tables, rules, queues, and pf's state table). I'd like to propose that rc.d/pf flush everything but the state tables, ie: Index: pf =================================================================== RCS file: /home/ncvs/src/etc/rc.d/pf,v retrieving revision 1.6 diff -u -r1.6 pf --- pf 25 Oct 2004 08:12:28 -0000 1.6 +++ pf 3 Apr 2005 19:22:51 -0000 @@ -75,7 +75,7 @@ echo "Reloading pf rules." ${pf_program:-/sbin/pfctl} -n -f "${pf_rules}" || return 1 - ${pf_program:-/sbin/pfctl} -Fa > /dev/null 2>&1 + ${pf_program:-/sbin/pfctl} -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp > /dev/null 2>&1 ${pf_program:-/sbin/pfctl} -f "${pf_rules}" ${pf_flags} } Which I believe is the intended behavior. The rationale being that if you've got a system and are making changes to the firewall, you want to keep existing state entries to prevent resetting everyone's existing TCP connections, but do want to load a new set of rules, queues, tables, filters, etc. If you're local to the machine and want to clear the state tables, people should use `rc.d/pf restart` instead. Is it okay for me to apply the above patch and MFC it after 5.4 is released? -sc -- Sean Chittenden From owner-freebsd-rc@FreeBSD.ORG Sun Apr 3 20:50:32 2005 Return-Path: Delivered-To: freebsd-rc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25BBB16A4CE; Sun, 3 Apr 2005 20:50:32 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 570E143D1F; Sun, 3 Apr 2005 20:50:31 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.161] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1DIC31-0000iE-00; Sun, 03 Apr 2005 22:50:19 +0200 Received: from [217.83.11.66] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1DIC30-0001TX-00; Sun, 03 Apr 2005 22:50:19 +0200 From: Max Laier To: Sean Chittenden Date: Sun, 3 Apr 2005 22:49:28 +0200 User-Agent: KMail/1.8 References: <20050403193405.GA41736@sean.gigave.com> In-Reply-To: <20050403193405.GA41736@sean.gigave.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1513066.4W56h1X9st"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200504032249.37115.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: rc@FreeBSD.org cc: freebsd-pf@freebsd.org Subject: Re: rc.d/pf reload behavior odity... X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussion related to /etc/rc.d design and implementation. List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Apr 2005 20:50:32 -0000 --nextPart1513066.4W56h1X9st Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 03 April 2005 21:34, Sean Chittenden wrote: > Howdy. I'd like to wager that `rc.d/pf's reload` has an unintended > behavior that I'd like to correct. > > Right now `rc.d/pf reload` does a -Fa which clears everything > (tables, rules, queues, and pf's state table). I'd like to propose > that rc.d/pf flush everything but the state tables, ie: > > Index: pf > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/etc/rc.d/pf,v > retrieving revision 1.6 > diff -u -r1.6 pf > --- pf 25 Oct 2004 08:12:28 -0000 1.6 > +++ pf 3 Apr 2005 19:22:51 -0000 > @@ -75,7 +75,7 @@ > echo "Reloading pf rules." > > ${pf_program:-/sbin/pfctl} -n -f "${pf_rules}" || return 1 > - ${pf_program:-/sbin/pfctl} -Fa > /dev/null 2>&1 > + ${pf_program:-/sbin/pfctl} -Fnat -Fqueue -Frules -FSources -Finfo > -FTables -Fosfp > /dev/null 2>&1 ${pf_program:-/sbin/pfctl} -f > "${pf_rules}" ${pf_flags} > } > > Which I believe is the intended behavior. The rationale being that if > you've got a system and are making changes to the firewall, you want > to keep existing state entries to prevent resetting everyone's > existing TCP connections, but do want to load a new set of rules, > queues, tables, filters, etc. If you're local to the machine and want > to clear the state tables, people should use `rc.d/pf restart` > instead. > > Is it okay for me to apply the above patch and MFC it after 5.4 is > released? -sc Good catch, please go ahead. Unless somebody else has strong feelings agai= nst=20 this (CC'ing freebsd-pf). Please make sure it gets documented, though. [I am not on rc@, please keep the CC, thanks.] =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1513066.4W56h1X9st Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCUFbhXyyEoT62BG0RAlEAAJ934kzAYWXaKLa8CpYzurfKv4nLrACeMWVB VvmakVtfsCudXwep4mV1R4I= =m1QB -----END PGP SIGNATURE----- --nextPart1513066.4W56h1X9st-- From owner-freebsd-rc@FreeBSD.ORG Mon Apr 4 11:01:53 2005 Return-Path: Delivered-To: freebsd-rc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AC8516A4E8 for ; Mon, 4 Apr 2005 11:01:53 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0EACD43D55 for ; Mon, 4 Apr 2005 11:01:53 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j34B1qO7012227 for ; Mon, 4 Apr 2005 11:01:52 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j34B1qf7012221 for freebsd-rc@freebsd.org; Mon, 4 Apr 2005 11:01:52 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 4 Apr 2005 11:01:52 GMT Message-Id: <200504041101.j34B1qf7012221@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-rc@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussion related to /etc/rc.d design and implementation. List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Apr 2005 11:01:53 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2004/03/09] kern/63954 rc devfs loses permissions 1 problem total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/08/29] conf/56144 rc [PATCH] /etc/rc.d/ipmon, /etc/rc.d/ipfilt o [2004/06/30] conf/68525 rc Loader's verbose boot mode has rc.d/local o [2004/07/07] conf/68745 rc /etc/rc.d/devfs runs after ntpd so links 3 problems total.