Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 03 Apr 2018 18:12:26 +0200
From:      "Kristof Provost" <kp@FreeBSD.org>
To:        "Gleb Smirnoff" <glebius@FreeBSD.org>
Cc:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   Re: svn commit: r331546 - head/etc/rc.d
Message-ID:  <15CEFBCD-8875-438D-B370-3468DC637A53@FreeBSD.org>
In-Reply-To: <20180403160646.GE1917@FreeBSD.org>
References:  <201803260936.w2Q9aMfD082758@repo.freebsd.org> <20180402220430.GD1917@FreeBSD.org> <4F543A96-C6B1-4FF0-A501-BC6C7FD3F26A@FreeBSD.org> <20180403160646.GE1917@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 3 Apr 2018, at 18:06, Gleb Smirnoff wrote:
> On Tue, Apr 03, 2018 at 08:49:09AM +0200, Kristof Provost wrote:
> K> On 3 Apr 2018, at 0:04, Gleb Smirnoff wrote:
> K> > I just want to note that this is a huge change of behaviour
> K> > of pf(4) for a user. Over a decade everybody has been used
> K> > to the difference between "reload" and "resync".
> K>
> K> There is no difference. r330105 removed the ‘$pf_program -Fnat 
> -Fqueue
> K> -Frules -FSources -Finfo -FTables -Fosfp’ line, but this never
> K> actually did what the author thought it did.
> K> pfctl only ever performed the last ‘-F’, not all of them, so 
> all
> K> this ever did was flush the OS fingerprints information. Clearly
> K> that’s not what was intended.
> K>
> K> pf never actually breaks existing connections, because existing 
> states
> K> keep using the rule that created them, regardless of the current 
> rules.
> K> It wouldn’t have broken connections with resync either. A
> K> ‘restart’ will, because ‘start’ does ‘pfctl -F all’.
> K>
> K> If the flush had actually done what was intended it’d arguably 
> have
> K> been a security issue, because reloading rules would then (briefly) 
> open
> K> the firewall, allowing all traffic to pass and establish state.
>
> Hmm, may be I am wrong, but back when I was actively working with pf,
> the "reload" command would break the ssh connection I am using, so
> I have taught myself to use "resync".
>
Apparently reload used to have a ‘${pf_program:-/sbin/pfctl} -Fa’, 
which would have flushed everything and killed your connection.
That was removed back in 2005 (April 4th, so pretty much exactly 13 
years ago), and replaced by the erroneous ‘-Fnat -Fqueue -Frules 
-FSources -Finfo -FTables -Fosfp’ version.

Regards,
Kristof

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15CEFBCD-8875-438D-B370-3468DC637A53>