svn commit: r331546 - head/etc/rc.d

Gleb Smirnoff glebius at FreeBSD.org
Tue Apr 3 16:06:49 UTC 2018


On Tue, Apr 03, 2018 at 08:49:09AM +0200, Kristof Provost wrote:
K> On 3 Apr 2018, at 0:04, Gleb Smirnoff wrote:
K> > I just want to note that this is a huge change of behaviour
K> > of pf(4) for a user. Over a decade everybody has been used
K> > to the difference between "reload" and "resync".
K> 
K> There is no difference. r330105 removed the ‘$pf_program -Fnat -Fqueue 
K> -Frules -FSources -Finfo -FTables -Fosfp’ line, but this never 
K> actually did what the author thought it did.
K> pfctl only ever performed the last ‘-F’, not all of them, so all 
K> this ever did was flush the OS fingerprints information. Clearly 
K> that’s not what was intended.
K> 
K> pf never actually breaks existing connections, because existing states 
K> keep using the rule that created them, regardless of the current rules.
K> It wouldn’t have broken connections with resync either. A 
K> ‘restart’ will, because ‘start’ does ‘pfctl -F all’.
K> 
K> If the flush had actually done what was intended it’d arguably have 
K> been a security issue, because reloading rules would then (briefly) open 
K> the firewall, allowing all traffic to pass and establish state.

Hmm, may be I am wrong, but back when I was actively working with pf,
the "reload" command would break the ssh connection I am using, so
I have taught myself to use "resync".

If I am wrong, please go forward :)

-- 
Gleb Smirnoff


More information about the svn-src-all mailing list