From owner-freebsd-pf@FreeBSD.ORG Mon Mar 4 15:55:03 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 04808C32 for ; Mon, 4 Mar 2013 15:55:03 +0000 (UTC) (envelope-from longwitz@incore.de) Received: from dss.incore.de (dss.incore.de [195.145.1.138]) by mx1.freebsd.org (Postfix) with ESMTP id BF3BB2B4 for ; Mon, 4 Mar 2013 15:55:02 +0000 (UTC) Received: from inetmail.dmz (inetmail.dmz [10.3.0.3]) by dss.incore.de (Postfix) with ESMTP id 9F5BF5C813 for ; Mon, 4 Mar 2013 16:47:38 +0100 (CET) X-Virus-Scanned: amavisd-new at incore.de Received: from dss.incore.de ([10.3.0.3]) by inetmail.dmz (inetmail.dmz [10.3.0.3]) (amavisd-new, port 10024) with LMTP id ht-Ifjg4HcBE for ; Mon, 4 Mar 2013 16:47:37 +0100 (CET) Received: from mail.incore (fwintern.dmz [10.0.0.253]) by dss.incore.de (Postfix) with ESMTP id 64D645C80E for ; Mon, 4 Mar 2013 16:47:36 +0100 (CET) Received: from bsdlo.incore (bsdlo.incore [192.168.0.84]) by mail.incore (Postfix) with ESMTP id 5EE345083F for ; Mon, 4 Mar 2013 16:47:36 +0100 (CET) Message-ID: <5134C218.6060701@incore.de> Date: Mon, 04 Mar 2013 16:47:36 +0100 From: Andreas Longwitz User-Agent: Thunderbird 2.0.0.19 (X11/20090113) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Subject: Reloading pf rules breaks connections on lo0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Mar 2013 15:55:03 -0000 I run FreeBSD 8 Stable with pf enabled and have the line set skip on lo0 in my /etc/pf.conf. Reloading the pf rules with pfctl -f /etc/pf.conf breaks any active running connections on lo0. Example: -> scp bigfile 127.0.0.1:bigfile.copy bigfile 10% 96MB 10.5MB/s 01:15 ETA Write failed: Operation not permitted lost connection In pflog I see 15:33:37.310320 127.0.0.1 -> 127.0.0.1 TCP 164 [block lo0/0] ssh > 52650 [PSH, ACK] Seq=1 Ack=1 Win=8960 Len=48 15:33:37.310732 127.0.0.1 -> 127.0.0.1 TCP 14452 [block lo0/0] 52650 > ssh [ACK] Seq=1 Ack=1 Win=8960 Len=14336 15:33:37.311153 127.0.0.1 -> 127.0.0.1 TCP 2212 [block lo0/0] 52650 > ssh [FIN, PSH, ACK] Seq=14337 Ack=1 Win=8960 Len=2096 15:33:37.314473 127.0.0.1 -> 127.0.0.1 TCP 116 [block lo0/0] ssh > 52650 [FIN, ACK] Seq=49 Ack=1 Win=8960 Len=0 I can avoid the break on active connections on lo0 using the commands pfctl -d pfctl -f /etc/pf.conf pfctl -e but this may break other things and is not what I want. >From man pf.conf "set skip on .." Packets passing in or out on such interfaces are passed as if pf was disabled, i.e. pf does not process them in any way. I think this should be true for reloading the rules too. -- Andreas Longwitz