Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 28 Feb 2018 21:53:36 +0545
From:      "Kristof Provost" <kp@FreeBSD.org>
To:        rgrimes@freebsd.org
Cc:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   Re: svn commit: r330105 - head/etc/rc.d
Message-ID:  <8D4597D0-8B68-42FA-85FB-907655DA19E7@FreeBSD.org>
In-Reply-To: <201802281517.w1SFH7oA020664@pdx.rh.CN85.dnsmgr.net>
References:  <201802281517.w1SFH7oA020664@pdx.rh.CN85.dnsmgr.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On 28 Feb 2018, at 21:02, Rodney W. Grimes wrote:
>> Author: kp
>> Date: Wed Feb 28 08:53:07 2018
>> New Revision: 330105
>> URL: https://svnweb.freebsd.org/changeset/base/330105
>>
>> Log:
>>   pf: Do not flush on reload
>>
>>   pfctl only takes the last '-F' argument into account, so this never 
>> did what
>>   was intended.
>>
>>   Moreover, there is no reason to flush rules before reloading, 
>> because pf keeps
>>   track of the rule which created a given state. That means that 
>> existing
>>   connections will keep being processed according to the rule which 
>> originally
>>   created them. Simply reloading the (new) rules suffices. The new 
>> rules will
>>   apply to new connections.
>
> Would it be possible to wrap this in a conditional? (pf_keepexisting?)
> Your changing existing, and possibly expected, behavior.
> I say expected because I may not want those existing connections to
> exist any longer as I had made a mistake in my pf configuration that
> allowed connections I do not desire.
>
Keeping connections on reload (note, reload != restart) is not new 
behaviour.
This has not changed.

The deleted line attempted to flush nat, queue, rules, Sources, info, 
Tables and osfp. It only ever flushed osfp because pfctl only took the 
last -F into account.

Regards,
Kristof



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8D4597D0-8B68-42FA-85FB-907655DA19E7>