From owner-svn-src-head@freebsd.org Wed Feb 28 16:19:27 2018 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B97BAF3230D; Wed, 28 Feb 2018 16:19:27 +0000 (UTC) (envelope-from freebsd@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D4E6C80EA5; Wed, 28 Feb 2018 16:19:20 +0000 (UTC) (envelope-from freebsd@pdx.rh.CN85.dnsmgr.net) Received: from pdx.rh.CN85.dnsmgr.net (localhost [127.0.0.1]) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3) with ESMTP id w1SGJGAl020977; Wed, 28 Feb 2018 08:19:16 -0800 (PST) (envelope-from freebsd@pdx.rh.CN85.dnsmgr.net) Received: (from freebsd@localhost) by pdx.rh.CN85.dnsmgr.net (8.13.3/8.13.3/Submit) id w1SGJGPD020976; Wed, 28 Feb 2018 08:19:16 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <201802281619.w1SGJGPD020976@pdx.rh.CN85.dnsmgr.net> Subject: Re: svn commit: r330105 - head/etc/rc.d In-Reply-To: <8D4597D0-8B68-42FA-85FB-907655DA19E7@FreeBSD.org> To: Kristof Provost Date: Wed, 28 Feb 2018 08:19:16 -0800 (PST) CC: rgrimes@FreeBSD.org, src-committers@FreeBSD.org, svn-src-all@FreeBSD.org, svn-src-head@FreeBSD.org Reply-To: rgrimes@FreeBSD.org X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Feb 2018 16:19:27 -0000 > On 28 Feb 2018, at 21:02, Rodney W. Grimes wrote: > >> Author: kp > >> Date: Wed Feb 28 08:53:07 2018 > >> New Revision: 330105 > >> URL: https://svnweb.freebsd.org/changeset/base/330105 > >> > >> Log: > >> pf: Do not flush on reload > >> > >> pfctl only takes the last '-F' argument into account, so this never > >> did what > >> was intended. > >> > >> Moreover, there is no reason to flush rules before reloading, > >> because pf keeps > >> track of the rule which created a given state. That means that > >> existing > >> connections will keep being processed according to the rule which > >> originally > >> created them. Simply reloading the (new) rules suffices. The new > >> rules will > >> apply to new connections. > > > > Would it be possible to wrap this in a conditional? (pf_keepexisting?) > > Your changing existing, and possibly expected, behavior. > > I say expected because I may not want those existing connections to > > exist any longer as I had made a mistake in my pf configuration that > > allowed connections I do not desire. > > > Keeping connections on reload (note, reload != restart) is not new > behaviour. > This has not changed. It has, minorly, in that OSPF connections are not dropped now, but if thats the only change I'll live with the change. > The deleted line attempted to flush nat, queue, rules, Sources, info, > Tables and osfp. It only ever flushed osfp because pfctl only took the > last -F into account. So might it be better to correct what it was attempting to do, and wrap that in a conditional? I may or may not want this to exist after a reload, and that should be my option, alternative is for me to either edit this file, or write my own. Or having to execute a bunch of -F commands by hand. It was clearly the intent of the original author to have these flushed, fixing the mistake by removing the flushes is one way to fix it. I am asking for consideration on that there is another desired solution, and that both can exist with a simple knob. > Regards, > Kristof -- Rod Grimes rgrimes@freebsd.org