svn commit: r330105 - head/etc/rc.d
Rodney W. Grimes
freebsd at pdx.rh.CN85.dnsmgr.net
Wed Feb 28 16:19:27 UTC 2018
> On 28 Feb 2018, at 21:02, Rodney W. Grimes wrote:
> >> Author: kp
> >> Date: Wed Feb 28 08:53:07 2018
> >> New Revision: 330105
> >> URL: https://svnweb.freebsd.org/changeset/base/330105
> >>
> >> Log:
> >> pf: Do not flush on reload
> >>
> >> pfctl only takes the last '-F' argument into account, so this never
> >> did what
> >> was intended.
> >>
> >> Moreover, there is no reason to flush rules before reloading,
> >> because pf keeps
> >> track of the rule which created a given state. That means that
> >> existing
> >> connections will keep being processed according to the rule which
> >> originally
> >> created them. Simply reloading the (new) rules suffices. The new
> >> rules will
> >> apply to new connections.
> >
> > Would it be possible to wrap this in a conditional? (pf_keepexisting?)
> > Your changing existing, and possibly expected, behavior.
> > I say expected because I may not want those existing connections to
> > exist any longer as I had made a mistake in my pf configuration that
> > allowed connections I do not desire.
> >
> Keeping connections on reload (note, reload != restart) is not new
> behaviour.
> This has not changed.
It has, minorly, in that OSPF connections are not dropped now,
but if thats the only change I'll live with the change.
> The deleted line attempted to flush nat, queue, rules, Sources, info,
> Tables and osfp. It only ever flushed osfp because pfctl only took the
> last -F into account.
So might it be better to correct what it was attempting to do,
and wrap that in a conditional? I may or may not want this
to exist after a reload, and that should be my option, alternative
is for me to either edit this file, or write my own. Or having
to execute a bunch of -F commands by hand.
It was clearly the intent of the original author to have these
flushed, fixing the mistake by removing the flushes is one way
to fix it. I am asking for consideration on that there is another
desired solution, and that both can exist with a simple knob.
> Regards,
> Kristof
--
Rod Grimes rgrimes at freebsd.org
More information about the svn-src-all
mailing list