From owner-svn-src-head@freebsd.org Wed Feb 28 15:17:12 2018 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C50A2F2D970; Wed, 28 Feb 2018 15:17:12 +0000 (UTC) (envelope-from freebsd@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 421F87CA7B; Wed, 28 Feb 2018 15:17:10 +0000 (UTC) (envelope-from freebsd@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (localhost [127.0.0.1]) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3) with ESMTP id w1SFH7Ox020665; Wed, 28 Feb 2018 07:17:07 -0800 (PST) (envelope-from freebsd@pdx.rh.CN85.dnsmgr.net) Received: (from freebsd@localhost) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3/Submit) id w1SFH7oA020664; Wed, 28 Feb 2018 07:17:07 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <201802281517.w1SFH7oA020664@pdx.rh.CN85.dnsmgr.net> Subject: Re: svn commit: r330105 - head/etc/rc.d In-Reply-To: <201802280853.w1S8r72H079419@repo.freebsd.org> To: Kristof Provost Date: Wed, 28 Feb 2018 07:17:07 -0800 (PST) CC: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Reply-To: rgrimes@freebsd.org X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Feb 2018 15:17:12 -0000 > Author: kp > Date: Wed Feb 28 08:53:07 2018 > New Revision: 330105 > URL: https://svnweb.freebsd.org/changeset/base/330105 > > Log: > pf: Do not flush on reload > > pfctl only takes the last '-F' argument into account, so this never did what > was intended. > > Moreover, there is no reason to flush rules before reloading, because pf keeps > track of the rule which created a given state. That means that existing > connections will keep being processed according to the rule which originally > created them. Simply reloading the (new) rules suffices. The new rules will > apply to new connections. Would it be possible to wrap this in a conditional? (pf_keepexisting?) Your changing existing, and possibly expected, behavior. I say expected because I may not want those existing connections to exist any longer as I had made a mistake in my pf configuration that allowed connections I do not desire. Also RELNOTES: y as this changes security behavior. Thanks, > PR: 127814 > Submitted by: Andreas Longwitz > MFC after: 3 weeks > > Modified: > head/etc/rc.d/pf > > Modified: head/etc/rc.d/pf > ============================================================================== > --- head/etc/rc.d/pf Wed Feb 28 07:59:55 2018 (r330104) > +++ head/etc/rc.d/pf Wed Feb 28 08:53:07 2018 (r330105) > @@ -54,9 +54,6 @@ pf_reload() > { > echo "Reloading pf rules." > $pf_program -n -f "$pf_rules" || return 1 > - # Flush everything but existing state entries that way when > - # rules are read in, it doesn't break established connections. > - $pf_program -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp > /dev/null 2>&1 > $pf_program -f "$pf_rules" $pf_flags > } > > > -- Rod Grimes rgrimes@freebsd.org