Date: Tue, 16 Mar 2021 11:37:02 +0100 From: Patrick Lamaiziere <patfbsd@davenulle.org> To: "Kristof Provost" <kp@FreeBSD.org> Cc: freebsd-pf@freebsd.org Subject: Re: pfctl segmentation fault in pfctl_optimize.c Message-ID: <20210316113702.4b3de39b@mr185033.univ-rennes1.fr> In-Reply-To: <7963281C-B340-4AF3-9BBB-1D894DAC15E9@FreeBSD.org> References: <20210309110530.63834499@mr185033.univ-rennes1.fr> <CFC9AFC8-85F4-4E84-8C51-22AC0E392BF9@FreeBSD.org> <20210312140010.506b668c@mr185033.univ-rennes1.fr> <7963281C-B340-4AF3-9BBB-1D894DAC15E9@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 12 Mar 2021 14:06:22 +0100 "Kristof Provost" <kp@FreeBSD.org> wrote: Hello, > On 12 Mar 2021, at 14:00, Patrick Lamaiziere wrote: > > I've read the code of pfctl a bit. If pfctl crashes in=20 > > pfctl_optimize_ruleset, is there a risk to leave pf in a bad state ? > > Looks like the rules are sent to pf via ioctl after the > > optimization so a crash before should be harmless (?). > > =20 > That should be the case, yes. >=20 > I=E2=80=99ve not checked the pfctl code to see if it actually starts the= =20 > operation to change the rules or not, but either way, pf rule changes=20 > are atomic. > They either succeed completely or not at all. >=20 > Pf accomplishes this by keeping an active and inactive ruleset, and > when you load new rules pfctl will start a transaction (DIOCXBEGIN), > add the complete new ruleset (DIOCADDRULE) and only then commit to > swapping the active and inactive rulesets (DIOCXCOMMIT). Ok thanks a lot Kristof. So I don't have any explanation for my problem. We will check that the firewalls filter out some trafic, stop ip forwarding if not and try to gather more informations. Best regards.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210316113702.4b3de39b>