Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 28 Feb 2018 07:17:07 -0800 (PST)
From:      "Rodney W. Grimes" <freebsd@pdx.rh.CN85.dnsmgr.net>
To:        Kristof Provost <kp@freebsd.org>
Cc:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   Re: svn commit: r330105 - head/etc/rc.d
Message-ID:  <201802281517.w1SFH7oA020664@pdx.rh.CN85.dnsmgr.net>
In-Reply-To: <201802280853.w1S8r72H079419@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
> Author: kp
> Date: Wed Feb 28 08:53:07 2018
> New Revision: 330105
> URL: https://svnweb.freebsd.org/changeset/base/330105
> 
> Log:
>   pf: Do not flush on reload
>   
>   pfctl only takes the last '-F' argument into account, so this never did what
>   was intended.
>   
>   Moreover, there is no reason to flush rules before reloading, because pf keeps
>   track of the rule which created a given state. That means that existing
>   connections will keep being processed according to the rule which originally
>   created them. Simply reloading the (new) rules suffices. The new rules will
>   apply to new connections.

Would it be possible to wrap this in a conditional? (pf_keepexisting?)
Your changing existing, and possibly expected, behavior.
I say expected because I may not want those existing connections to
exist any longer as I had made a mistake in my pf configuration that
allowed connections I do not desire.

Also
RELNOTES: y
as this changes security behavior.

Thanks,

>   PR:		127814
>   Submitted by:	Andreas Longwitz <longwitz at incore.de>
>   MFC after:	3 weeks
> 
> Modified:
>   head/etc/rc.d/pf
> 
> Modified: head/etc/rc.d/pf
> ==============================================================================
> --- head/etc/rc.d/pf	Wed Feb 28 07:59:55 2018	(r330104)
> +++ head/etc/rc.d/pf	Wed Feb 28 08:53:07 2018	(r330105)
> @@ -54,9 +54,6 @@ pf_reload()
>  {
>  	echo "Reloading pf rules."
>  	$pf_program -n -f "$pf_rules" || return 1
> -	# Flush everything but existing state entries that way when
> -	# rules are read in, it doesn't break established connections.
> -	$pf_program -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp > /dev/null 2>&1
>  	$pf_program -f "$pf_rules" $pf_flags
>  }
>  
> 
> 

-- 
Rod Grimes                                                 rgrimes@freebsd.org

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201802281517.w1SFH7oA020664>