svn commit: r330105 - head/etc/rc.d
Rodney W. Grimes
freebsd at pdx.rh.CN85.dnsmgr.net
Wed Feb 28 15:17:12 UTC 2018
> Author: kp
> Date: Wed Feb 28 08:53:07 2018
> New Revision: 330105
> URL: https://svnweb.freebsd.org/changeset/base/330105
>
> Log:
> pf: Do not flush on reload
>
> pfctl only takes the last '-F' argument into account, so this never did what
> was intended.
>
> Moreover, there is no reason to flush rules before reloading, because pf keeps
> track of the rule which created a given state. That means that existing
> connections will keep being processed according to the rule which originally
> created them. Simply reloading the (new) rules suffices. The new rules will
> apply to new connections.
Would it be possible to wrap this in a conditional? (pf_keepexisting?)
Your changing existing, and possibly expected, behavior.
I say expected because I may not want those existing connections to
exist any longer as I had made a mistake in my pf configuration that
allowed connections I do not desire.
Also
RELNOTES: y
as this changes security behavior.
Thanks,
> PR: 127814
> Submitted by: Andreas Longwitz <longwitz at incore.de>
> MFC after: 3 weeks
>
> Modified:
> head/etc/rc.d/pf
>
> Modified: head/etc/rc.d/pf
> ==============================================================================
> --- head/etc/rc.d/pf Wed Feb 28 07:59:55 2018 (r330104)
> +++ head/etc/rc.d/pf Wed Feb 28 08:53:07 2018 (r330105)
> @@ -54,9 +54,6 @@ pf_reload()
> {
> echo "Reloading pf rules."
> $pf_program -n -f "$pf_rules" || return 1
> - # Flush everything but existing state entries that way when
> - # rules are read in, it doesn't break established connections.
> - $pf_program -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp > /dev/null 2>&1
> $pf_program -f "$pf_rules" $pf_flags
> }
>
>
>
--
Rod Grimes rgrimes at freebsd.org
More information about the svn-src-all
mailing list