Restaarting PF and its effects on jails and vms

Odhiambo Washington odhiambo at gmail.com
Fri Mar 24 09:27:48 UTC 2017 

On 24 March 2017 at 12:22, Arthur Chance <freebsd at qeng-ho.org> wrote:

> On 24/03/2017 09:16, Odhiambo Washington wrote:
> > On 24 March 2017 at 11:20, Arthur Chance <freebsd at qeng-ho.org> wrote:
> >
> >> On 23/03/2017 18:29, James B. Byrne via freebsd-questions wrote:
> >>> I am revising the pf configuration for the FreeBSD-10.3 host of a
> >>> number of FreeBSD-11.0 BHyve instances. When I restart PF on the host
> >>> then traffic to a number of guests gets blocked even though the
> >>> ruleset says it should not be.
> >>>
> >>> Since the incoming ports for the blocked traffic appear to be from the
> >>> upper dynamic range I infer that this traffic is related to
> >>> connections established before PF was restarted and are now 'orphaned'
> >>> in consequence.  In other words, had the initial connection between
> >>> client anf service been made while PF was already running the traffic
> >>> being blocked following a restart would have been let through as being
> >>> part of an established connection.
> >>>
> >>> What is the recommended way of dealing with this issue when restarting
> >>> PF, if there is one?
> >>
> >> Don't restart pf, reload it. "service pf reload" goes to great lengths
> >> not to interfere with existing connections whereas "service pf restart"
> >> blows away everything before restarting.
> >>
> >> This is fresh in my mind because I made exactly the same mistake last
> >> week before remembering to reload. :-)
> >>
> >
> > A quick one, before I get to RTFM, is there an equivalent 'reload' option
> > for pfctl (9.3-STABLE)?
> >
>
> It's all pfctl. By using service(8) I was referring to the rc.d script
> for pf, but that sits over pfctl. The reload part is (on 10.3)
>
> pf_reload()
> {
>         echo "Reloading pf rules."
>         $pf_program -n -f "$pf_rules" || return 1
>         # Flush everything but existing state entries that way when
>         # rules are read in, it doesn't break established connections.
>         $pf_program -Fnat -Fqueue -Frules -FSources -Finfo -FTables
> -Fosfp > /dev/null 2>&1
>         $pf_program -f "$pf_rules" $pf_flags
> }
>
> Apologies if my mailer breaks the long line.
>


Perfect!


-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."

More information about the freebsd-questions mailing list