From owner-freebsd-pf@FreeBSD.ORG  Wed Mar 20 23:13:04 2013
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 20047693
 for <freebsd-pf@freebsd.org>; Wed, 20 Mar 2013 23:13:04 +0000 (UTC)
 (envelope-from longwitz@incore.de)
Received: from dss.incore.de (dss.incore.de [195.145.1.138])
 by mx1.freebsd.org (Postfix) with ESMTP id DA110A3A
 for <freebsd-pf@freebsd.org>; Wed, 20 Mar 2013 23:13:03 +0000 (UTC)
Received: from secmail.incore (inetdns.dmz [10.1.0.3])
 by dss.incore.de (Postfix) with ESMTP id 0C5EE5D9D0
 for <freebsd-pf@freebsd.org>; Thu, 21 Mar 2013 00:13:02 +0100 (CET)
Received: from lolap.longwitz (188-181-6-199-dynamic.dk.customer.tdc.net
 [188.181.6.199]) by secmail.incore (Postfix) with ESMTPS id D775C5C11
 for <freebsd-pf@freebsd.org>; Thu, 21 Mar 2013 00:13:01 +0100 (CET)
Message-ID: <514A427F.9050804@incore.de>
Date: Thu, 21 Mar 2013 00:13:03 +0100
From: Andreas Longwitz <longwitz@incore.de>
User-Agent: Mozilla/5.0 (X11; FreeBSD i386;
 rv:15.0) Gecko/20120917 Thunderbird/15.0.1
MIME-Version: 1.0
To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject: Re: [patch] Reloading pf rules breaks connections on lo0
References: <5134C218.6060701@incore.de> <5149BE75.3040308@incore.de>
 <CAPBZQG19-ASoz-Cgd2bm9rJyqNw=kqHueKxvzwWgVFb62xJ5dg@mail.gmail.com>
In-Reply-To: <CAPBZQG19-ASoz-Cgd2bm9rJyqNw=kqHueKxvzwWgVFb62xJ5dg@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2013 23:13:04 -0000

Thanks for answer!

Am 20.03.2013 16:23, Ermal Luçi wrote:
 > That is intended behavior.
What is intended bahavior, your reference is not clear to me.

 > There is an option -m to merge the configs which should not break it.
Ok, but this option does never prevent pfctl from clearing all interface 
option flags. If you run the command from the man page
      echo "set loginterface fxp0" | pfctl -mf -
then every active running socket over lo0 breaks because the function
pfctl_clear_interface_flags() is called independent of the PF_OPT_MERGE
flag. In the example the option -m provokes that pfctl_load_logif() is 
called as intended, but not pfctl_load_limit(), pfctl_load_timeout(), 
pfctl_load_debug(), pfctl_load_hostid() and pfctl_file_fingerprints().

The lo0 breaking function pfctl_clear_interface_flags() is called when 
the flag PFCTL_FLAG_OPTION is set. This is the case with option -O but 
also if none of the options -N, -R, -A are set, thats a little bit 
tricky. Therefore pfctl -N -R -A -f /etc/pf.conf never breaks lo0 but 
does not exactly the same as pfctl -f /etc/pf.conf because the flag 
PFCTL_FLAG_OPTION is not set.

Andreas Longwitz