Site Navigation

Date:      Mon, 13 Apr 2015 22:51:27 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-pf@FreeBSD.org
Subject:   [Bug 127814] [pf] The flush in pf_reload in /etc/rc.d/pf does not work as intended
Message-ID:  <bug-127814-17777-l7NzRn4aV5@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-127814-17777@https.bugs.freebsd.org/bugzilla/>
References:  <bug-127814-17777@https.bugs.freebsd.org/bugzilla/>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=127814

longwitz@incore.de changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |longwitz@incore.de

--- Comment #2 from longwitz@incore.de ---
I like to revise my proposal to fix pf_reload: Correct is
  pfctl -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp
works like 
  pfctl -Fosfp.
But instead of fixing this in pfctl or the pf script, this call of pfctl should
be deleted completely. Otherwise running connections could be broken by
pf_reload. In continuation of the patch given in PR 119874 I prefer now

--- pf.orig     2015-03-13 12:00:34.000000000 +0100
+++ pf  2015-04-14 00:31:56.513032000 +0200
@@ -46,16 +46,13 @@
 pf_check()
 {
        echo "Checking pf rules."
-       $pf_program -n -f "$pf_rules"
+       $pf_program -n -f "$pf_rules" $pf_flags
 }

 pf_reload()
 {
        echo "Reloading pf rules."
-       $pf_program -n -f "$pf_rules" || return 1
-       # Flush everything but existing state entries that way when
-       # rules are read in, it doesn't break established connections.
-       $pf_program -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp >
/dev/null 2>&1
+       $pf_program -n -f "$pf_rules" $pf_flags || return 1
        $pf_program -f "$pf_rules" $pf_flags
 }

Further we should avoid to break connections on skipped interfaces during
reloading pf rules. The patch given in 
   http://lists.freebsd.org/pipermail/freebsd-pf/2013-April/006994.html
does this job and works in FreeBSD 10 too.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-127814-17777-l7NzRn4aV5>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact