svn commit: r330105 - head/etc/rc.d

Rodney W. Grimes freebsd at pdx.rh.CN85.dnsmgr.net
Wed Feb 28 16:19:27 UTC 2018


> On 28 Feb 2018, at 21:02, Rodney W. Grimes wrote:
> >> Author: kp
> >> Date: Wed Feb 28 08:53:07 2018
> >> New Revision: 330105
> >> URL: https://svnweb.freebsd.org/changeset/base/330105
> >>
> >> Log:
> >>   pf: Do not flush on reload
> >>
> >>   pfctl only takes the last '-F' argument into account, so this never 
> >> did what
> >>   was intended.
> >>
> >>   Moreover, there is no reason to flush rules before reloading, 
> >> because pf keeps
> >>   track of the rule which created a given state. That means that 
> >> existing
> >>   connections will keep being processed according to the rule which 
> >> originally
> >>   created them. Simply reloading the (new) rules suffices. The new 
> >> rules will
> >>   apply to new connections.
> >
> > Would it be possible to wrap this in a conditional? (pf_keepexisting?)
> > Your changing existing, and possibly expected, behavior.
> > I say expected because I may not want those existing connections to
> > exist any longer as I had made a mistake in my pf configuration that
> > allowed connections I do not desire.
> >
> Keeping connections on reload (note, reload != restart) is not new 
> behaviour.
> This has not changed.

It has, minorly, in that OSPF connections are not dropped now,
but if thats the only change I'll live with the change.

> The deleted line attempted to flush nat, queue, rules, Sources, info, 
> Tables and osfp. It only ever flushed osfp because pfctl only took the 
> last -F into account.

So might it be better to correct what it was attempting to do,
and wrap that in a conditional?   I may or may not want this
to exist after a reload, and that should be my option, alternative
is for me to either edit this file, or write my own. Or having
to execute a bunch of -F commands by hand.

It was clearly the intent of the original author to have these
flushed, fixing the mistake by removing the flushes is one way
to fix it.  I am asking for consideration on that there is another
desired solution, and that both can exist with a simple knob.

> Regards,
> Kristof

-- 
Rod Grimes                                                 rgrimes at freebsd.org


More information about the svn-src-all mailing list