Reloading pf rules breaks connections on lo0

[Andreas Longwitz]

I run FreeBSD 8 Stable with pf enabled and have the line
    set skip on lo0
in my /etc/pf.conf. Reloading the pf rules with
    pfctl -f /etc/pf.conf
breaks any active running connections on lo0.

Example:
-> scp bigfile 127.0.0.1:bigfile.copy
bigfile                                      10%   96MB  10.5MB/s
01:15 ETA
Write failed: Operation not permitted
lost connection

In pflog I see
15:33:37.310320    127.0.0.1 -> 127.0.0.1   TCP 164 [block lo0/0]
  ssh > 52650 [PSH, ACK] Seq=1 Ack=1 Win=8960 Len=48
15:33:37.310732    127.0.0.1 -> 127.0.0.1    TCP 14452 [block lo0/0]
  52650 > ssh [ACK] Seq=1 Ack=1 Win=8960 Len=14336
15:33:37.311153    127.0.0.1 -> 127.0.0.1    TCP 2212 [block lo0/0]
  52650 > ssh [FIN, PSH, ACK] Seq=14337 Ack=1 Win=8960 Len=2096
15:33:37.314473    127.0.0.1 -> 127.0.0.1    TCP 116 [block lo0/0]
  ssh > 52650 [FIN, ACK] Seq=49 Ack=1 Win=8960 Len=0

I can avoid the break on active connections on lo0 using the commands
   pfctl -d
   pfctl -f /etc/pf.conf
   pfctl -e
but this may break other things and is not what I want.

>From man pf.conf "set skip on .."
Packets passing in or out on such interfaces are passed as if pf was
disabled, i.e. pf does not process them in any way.

I think this should be true for reloading the rules too.


-- 
Andreas Longwitz