Date: Fri, 12 Mar 2021 14:06:22 +0100 From: "Kristof Provost" <kp@FreeBSD.org> To: "Patrick Lamaiziere" <patfbsd@davenulle.org> Cc: freebsd-pf@freebsd.org Subject: Re: pfctl segmentation fault in pfctl_optimize.c Message-ID: <7963281C-B340-4AF3-9BBB-1D894DAC15E9@FreeBSD.org> In-Reply-To: <20210312140010.506b668c@mr185033.univ-rennes1.fr> References: <20210309110530.63834499@mr185033.univ-rennes1.fr> <CFC9AFC8-85F4-4E84-8C51-22AC0E392BF9@FreeBSD.org> <20210312140010.506b668c@mr185033.univ-rennes1.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12 Mar 2021, at 14:00, Patrick Lamaiziere wrote: > I've read the code of pfctl a bit. If pfctl crashes in > pfctl_optimize_ruleset, is there a risk to leave pf in a bad state ? > Looks like the rules are sent to pf via ioctl after the optimization > so a crash before should be harmless (?). > That should be the case, yes. I’ve not checked the pfctl code to see if it actually starts the operation to change the rules or not, but either way, pf rule changes are atomic. They either succeed completely or not at all. Pf accomplishes this by keeping an active and inactive ruleset, and when you load new rules pfctl will start a transaction (DIOCXBEGIN), add the complete new ruleset (DIOCADDRULE) and only then commit to swapping the active and inactive rulesets (DIOCXCOMMIT). Best regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7963281C-B340-4AF3-9BBB-1D894DAC15E9>