Date: Sun, 3 Apr 2005 12:34:05 -0700 From: Sean Chittenden <sean@gigave.com> To: rc@FreeBSD.org Cc: mlaier@FreeBSD.org Subject: rc.d/pf reload behavior odity... Message-ID: <20050403193405.GA41736@sean.gigave.com>
next in thread | raw e-mail | index | archive | help
Howdy. I'd like to wager that `rc.d/pf's reload` has an unintended
behavior that I'd like to correct.
Right now `rc.d/pf reload` does a -Fa which clears everything
(tables, rules, queues, and pf's state table). I'd like to propose
that rc.d/pf flush everything but the state tables, ie:
Index: pf
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/pf,v
retrieving revision 1.6
diff -u -r1.6 pf
--- pf 25 Oct 2004 08:12:28 -0000 1.6
+++ pf 3 Apr 2005 19:22:51 -0000
@@ -75,7 +75,7 @@
echo "Reloading pf rules."
${pf_program:-/sbin/pfctl} -n -f "${pf_rules}" || return 1
- ${pf_program:-/sbin/pfctl} -Fa > /dev/null 2>&1
+ ${pf_program:-/sbin/pfctl} -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp > /dev/null 2>&1
${pf_program:-/sbin/pfctl} -f "${pf_rules}" ${pf_flags}
}
Which I believe is the intended behavior. The rationale being that if
you've got a system and are making changes to the firewall, you want
to keep existing state entries to prevent resetting everyone's
existing TCP connections, but do want to load a new set of rules,
queues, tables, filters, etc. If you're local to the machine and want
to clear the state tables, people should use `rc.d/pf restart`
instead.
Is it okay for me to apply the above patch and MFC it after 5.4 is
released? -sc
--
Sean Chittenden
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050403193405.GA41736>