From owner-svn-src-head@freebsd.org  Wed Feb 28 16:08:43 2018
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8ED39F3188B;
 Wed, 28 Feb 2018 16:08:43 +0000 (UTC)
 (envelope-from srs0=awtu=fw=freebsd.org=kp@codepro.be)
Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits))
 (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 2EA708080D;
 Wed, 28 Feb 2018 16:08:43 +0000 (UTC)
 (envelope-from srs0=awtu=fw=freebsd.org=kp@codepro.be)
Received: from [192.168.26.135] (254.158.dhcp.conference.apricot.net
 [220.247.158.254]) (Authenticated sender: kp)
 by venus.codepro.be (Postfix) with ESMTPSA id 70D0E2CAB1;
 Wed, 28 Feb 2018 17:08:40 +0100 (CET)
From: "Kristof Provost" <kp@FreeBSD.org>
To: rgrimes@freebsd.org
Cc: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: Re: svn commit: r330105 - head/etc/rc.d
Date: Wed, 28 Feb 2018 21:53:36 +0545
X-Mailer: MailMate (2.0BETAr6104)
Message-ID: <8D4597D0-8B68-42FA-85FB-907655DA19E7@FreeBSD.org>
In-Reply-To: <201802281517.w1SFH7oA020664@pdx.rh.CN85.dnsmgr.net>
References: <201802281517.w1SFH7oA020664@pdx.rh.CN85.dnsmgr.net>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2018 16:08:43 -0000

On 28 Feb 2018, at 21:02, Rodney W. Grimes wrote:
>> Author: kp
>> Date: Wed Feb 28 08:53:07 2018
>> New Revision: 330105
>> URL: https://svnweb.freebsd.org/changeset/base/330105
>>
>> Log:
>>   pf: Do not flush on reload
>>
>>   pfctl only takes the last '-F' argument into account, so this never 
>> did what
>>   was intended.
>>
>>   Moreover, there is no reason to flush rules before reloading, 
>> because pf keeps
>>   track of the rule which created a given state. That means that 
>> existing
>>   connections will keep being processed according to the rule which 
>> originally
>>   created them. Simply reloading the (new) rules suffices. The new 
>> rules will
>>   apply to new connections.
>
> Would it be possible to wrap this in a conditional? (pf_keepexisting?)
> Your changing existing, and possibly expected, behavior.
> I say expected because I may not want those existing connections to
> exist any longer as I had made a mistake in my pf configuration that
> allowed connections I do not desire.
>
Keeping connections on reload (note, reload != restart) is not new 
behaviour.
This has not changed.

The deleted line attempted to flush nat, queue, rules, Sources, info, 
Tables and osfp. It only ever flushed osfp because pfctl only took the 
last -F into account.

Regards,
Kristof