svn commit: r330105 - head/etc/rc.d
Kristof Provost
kp at FreeBSD.org
Wed Feb 28 16:08:43 UTC 2018
On 28 Feb 2018, at 21:02, Rodney W. Grimes wrote:
>> Author: kp
>> Date: Wed Feb 28 08:53:07 2018
>> New Revision: 330105
>> URL: https://svnweb.freebsd.org/changeset/base/330105
>>
>> Log:
>> pf: Do not flush on reload
>>
>> pfctl only takes the last '-F' argument into account, so this never
>> did what
>> was intended.
>>
>> Moreover, there is no reason to flush rules before reloading,
>> because pf keeps
>> track of the rule which created a given state. That means that
>> existing
>> connections will keep being processed according to the rule which
>> originally
>> created them. Simply reloading the (new) rules suffices. The new
>> rules will
>> apply to new connections.
>
> Would it be possible to wrap this in a conditional? (pf_keepexisting?)
> Your changing existing, and possibly expected, behavior.
> I say expected because I may not want those existing connections to
> exist any longer as I had made a mistake in my pf configuration that
> allowed connections I do not desire.
>
Keeping connections on reload (note, reload != restart) is not new
behaviour.
This has not changed.
The deleted line attempted to flush nat, queue, rules, Sources, info,
Tables and osfp. It only ever flushed osfp because pfctl only took the
last -F into account.
Regards,
Kristof
More information about the svn-src-all
mailing list