Date: Sun, 3 Apr 2005 22:49:28 +0200 From: Max Laier <max@love2party.net> To: Sean Chittenden <sean@gigave.com> Cc: freebsd-pf@freebsd.org Subject: Re: rc.d/pf reload behavior odity... Message-ID: <200504032249.37115.max@love2party.net> In-Reply-To: <20050403193405.GA41736@sean.gigave.com> References: <20050403193405.GA41736@sean.gigave.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Sunday 03 April 2005 21:34, Sean Chittenden wrote:
> Howdy. I'd like to wager that `rc.d/pf's reload` has an unintended
> behavior that I'd like to correct.
>
> Right now `rc.d/pf reload` does a -Fa which clears everything
> (tables, rules, queues, and pf's state table). I'd like to propose
> that rc.d/pf flush everything but the state tables, ie:
>
> Index: pf
> ===================================================================
> RCS file: /home/ncvs/src/etc/rc.d/pf,v
> retrieving revision 1.6
> diff -u -r1.6 pf
> --- pf 25 Oct 2004 08:12:28 -0000 1.6
> +++ pf 3 Apr 2005 19:22:51 -0000
> @@ -75,7 +75,7 @@
> echo "Reloading pf rules."
>
> ${pf_program:-/sbin/pfctl} -n -f "${pf_rules}" || return 1
> - ${pf_program:-/sbin/pfctl} -Fa > /dev/null 2>&1
> + ${pf_program:-/sbin/pfctl} -Fnat -Fqueue -Frules -FSources -Finfo
> -FTables -Fosfp > /dev/null 2>&1 ${pf_program:-/sbin/pfctl} -f
> "${pf_rules}" ${pf_flags}
> }
>
> Which I believe is the intended behavior. The rationale being that if
> you've got a system and are making changes to the firewall, you want
> to keep existing state entries to prevent resetting everyone's
> existing TCP connections, but do want to load a new set of rules,
> queues, tables, filters, etc. If you're local to the machine and want
> to clear the state tables, people should use `rc.d/pf restart`
> instead.
>
> Is it okay for me to apply the above patch and MFC it after 5.4 is
> released? -sc
Good catch, please go ahead. Unless somebody else has strong feelings against
this (CC'ing freebsd-pf). Please make sure it gets documented, though.
[I am not on rc@, please keep the CC, thanks.]
--
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
iD8DBQBCUFbhXyyEoT62BG0RAlEAAJ934kzAYWXaKLa8CpYzurfKv4nLrACeMWVB
VvmakVtfsCudXwep4mV1R4I=
=m1QB
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504032249.37115.max>