From owner-freebsd-rc@FreeBSD.ORG  Sun Apr  3 20:50:32 2005
Return-Path: <owner-freebsd-rc@FreeBSD.ORG>
Delivered-To: freebsd-rc@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 25BBB16A4CE; Sun,  3 Apr 2005 20:50:32 +0000 (GMT)
Received: from moutng.kundenserver.de (moutng.kundenserver.de
	[212.227.126.177])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 570E143D1F; Sun,  3 Apr 2005 20:50:31 +0000 (GMT)
	(envelope-from max@love2party.net)
Received: from [212.227.126.161] (helo=mrelayng.kundenserver.de)
	by moutng.kundenserver.de with esmtp (Exim 3.35 #1)
	id 1DIC31-0000iE-00; Sun, 03 Apr 2005 22:50:19 +0200
Received: from [217.83.11.66] (helo=donor.laier.local)
	by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128)
	(Exim 3.35 #1)
	id 1DIC30-0001TX-00; Sun, 03 Apr 2005 22:50:19 +0200
From: Max Laier <max@love2party.net>
To: Sean Chittenden <sean@gigave.com>
Date: Sun, 3 Apr 2005 22:49:28 +0200
User-Agent: KMail/1.8
References: <20050403193405.GA41736@sean.gigave.com>
In-Reply-To: <20050403193405.GA41736@sean.gigave.com>
MIME-Version: 1.0
Content-Type: multipart/signed;
  boundary="nextPart1513066.4W56h1X9st";
  protocol="application/pgp-signature";
  micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200504032249.37115.max@love2party.net>
X-Provags-ID: kundenserver.de abuse@kundenserver.de
	auth:61c499deaeeba3ba5be80f48ecc83056
cc: rc@FreeBSD.org
cc: freebsd-pf@freebsd.org
Subject: Re: rc.d/pf reload behavior odity...
X-BeenThere: freebsd-rc@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussion related to /etc/rc.d design and implementation.
	<freebsd-rc.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-rc>,
	<mailto:freebsd-rc-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-rc>
List-Post: <mailto:freebsd-rc@freebsd.org>
List-Help: <mailto:freebsd-rc-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-rc>,
	<mailto:freebsd-rc-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Apr 2005 20:50:32 -0000

--nextPart1513066.4W56h1X9st
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Sunday 03 April 2005 21:34, Sean Chittenden wrote:
> Howdy.  I'd like to wager that `rc.d/pf's reload` has an unintended
> behavior that I'd like to correct.
>
> Right now `rc.d/pf reload` does a -Fa which clears everything
> (tables, rules, queues, and pf's state table).  I'd like to propose
> that rc.d/pf flush everything but the state tables, ie:
>
> Index: pf
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> RCS file: /home/ncvs/src/etc/rc.d/pf,v
> retrieving revision 1.6
> diff -u -r1.6 pf
> --- pf  25 Oct 2004 08:12:28 -0000      1.6
> +++ pf  3 Apr 2005 19:22:51 -0000
> @@ -75,7 +75,7 @@
>         echo "Reloading pf rules."
>
>         ${pf_program:-/sbin/pfctl} -n -f "${pf_rules}" || return 1
> -       ${pf_program:-/sbin/pfctl} -Fa > /dev/null 2>&1
> +       ${pf_program:-/sbin/pfctl} -Fnat -Fqueue -Frules -FSources -Finfo
> -FTables -Fosfp > /dev/null 2>&1 ${pf_program:-/sbin/pfctl} -f
> "${pf_rules}" ${pf_flags}
>  }
>
> Which I believe is the intended behavior.  The rationale being that if
> you've got a system and are making changes to the firewall, you want
> to keep existing state entries to prevent resetting everyone's
> existing TCP connections, but do want to load a new set of rules,
> queues, tables, filters, etc.  If you're local to the machine and want
> to clear the state tables, people should use `rc.d/pf restart`
> instead.
>
> Is it okay for me to apply the above patch and MFC it after 5.4 is
> released?  -sc

Good catch, please go ahead.  Unless somebody else has strong feelings agai=
nst=20
this (CC'ing freebsd-pf).  Please make sure it gets documented, though.

[I am not on rc@, please keep the CC, thanks.]

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart1513066.4W56h1X9st
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQBCUFbhXyyEoT62BG0RAlEAAJ934kzAYWXaKLa8CpYzurfKv4nLrACeMWVB
VvmakVtfsCudXwep4mV1R4I=
=m1QB
-----END PGP SIGNATURE-----

--nextPart1513066.4W56h1X9st--