svn commit: r331546 - head/etc/rc.d
Kristof Provost
kp at FreeBSD.org
Tue Apr 3 06:49:12 UTC 2018
On 3 Apr 2018, at 0:04, Gleb Smirnoff wrote:
> I just want to note that this is a huge change of behaviour
> of pf(4) for a user. Over a decade everybody has been used
> to the difference between "reload" and "resync".
There is no difference. r330105 removed the ‘$pf_program -Fnat -Fqueue
-Frules -FSources -Finfo -FTables -Fosfp’ line, but this never
actually did what the author thought it did.
pfctl only ever performed the last ‘-F’, not all of them, so all
this ever did was flush the OS fingerprints information. Clearly
that’s not what was intended.
pf never actually breaks existing connections, because existing states
keep using the rule that created them, regardless of the current rules.
It wouldn’t have broken connections with resync either. A
‘restart’ will, because ‘start’ does ‘pfctl -F all’.
If the flush had actually done what was intended it’d arguably have
been a security issue, because reloading rules would then (briefly) open
the firewall, allowing all traffic to pass and establish state.
> Yes, I admit
> that back in 2008 the difference was awkward and annoying, but
> todays I'm afraid that change would be more annoying than
> keeping status quo.
>
> This definitely shouldn't reach stable/11, absolutely.
>
I will wait to do the MFC until we’re in agreement about it.
Regards,
Kristof
More information about the svn-src-all
mailing list