From owner-freebsd-questions@freebsd.org  Fri Mar 24 09:16:48 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61181CA1381
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Fri, 24 Mar 2017 09:16:48 +0000 (UTC)
 (envelope-from odhiambo@gmail.com)
Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com
 [IPv6:2607:f8b0:400d:c09::235])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 1BD8B1E57
 for <freebsd-questions@freebsd.org>; Fri, 24 Mar 2017 09:16:48 +0000 (UTC)
 (envelope-from odhiambo@gmail.com)
Received: by mail-qk0-x235.google.com with SMTP id f11so6193639qkb.0
 for <freebsd-questions@freebsd.org>; Fri, 24 Mar 2017 02:16:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=Ztvk6rDA4YuucKJ74tQf1/GWW+yDfy6Tn8cdVxQqCMI=;
 b=T8O4zE2GYJpi2loLIKtKtA80eA0ZJJg5NVPCF4RKGCuP9/PnepIBG/DdMDJRqSoFT4
 KbEWA8fDCJM+NYLDXwP+9mC0UCXb6mq506fjhrh0AWEBSV5cd/AjqKVizOib56lWML5B
 epMXOB3tiYdXkbGpfJ7G215OF+Cntq2jQP3CWkJtgL6gplYbB1pefu1VdMdX7Bcb6c04
 z+kSHtiZRSC6DwGUt9lpo0ZNxPCOyq07BaU2iVolndNfRBPBaMtDleBPgVkd2mwY9lwM
 01uC6q3z/b+k3SGWCOiE950x6dCmMp3LiZtn0x8VsjIzu0zCgZReB9j/fUl1oVKrUOQ+
 BXHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=Ztvk6rDA4YuucKJ74tQf1/GWW+yDfy6Tn8cdVxQqCMI=;
 b=gcA5oHEmOuDVj4kfbj7ZjtO54U+kBWv21J3REuC3UjDsMip/eI/U5+jz1D445gfJaM
 4++9KU0/ax0MdCU15zim41NH57ceSWvcSly0uXSHNjsBWL/oGXm0sNR/Ze8aK3ULAKbt
 j1daT2qSHuKiGr/0/STWp09+fnOSElU6MpSzMoojPyuHA/UUD6j0KsVg1TdPxbraNMkz
 nSYdxCs5bTFj+vJe32HAolq+IO0J1AzZZ7Hutf9tf+zmS1JkMZhcP1pVfROD6U0HH2Kh
 ijYN4H9EJqgbijQpEez0GHE/vy6z7m7NSDvhgWrW1RSsZaTND6aVtKrthOf7NrLQ5JlR
 1yiQ==
X-Gm-Message-State: AFeK/H3sbO91Fz5FJiiMuvZlmQErnPRFARkGM3v5ECmeEdTqI4adFFegdxsxTUM6gaSBqoqKZtrdZi841LswkQ==
X-Received: by 10.55.147.131 with SMTP id v125mr6037751qkd.39.1490347007379;
 Fri, 24 Mar 2017 02:16:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.74.149 with HTTP; Fri, 24 Mar 2017 02:16:06 -0700 (PDT)
In-Reply-To: <f208af7c-1427-ea5e-e849-3f9055d56838@qeng-ho.org>
References: <d8c45fd2a689b07df63082aa04e036e7.squirrel@webmail.harte-lyne.ca>
 <f208af7c-1427-ea5e-e849-3f9055d56838@qeng-ho.org>
From: Odhiambo Washington <odhiambo@gmail.com>
Date: Fri, 24 Mar 2017 12:16:06 +0300
Message-ID: <CAAdA2WMudfmePPrHCOY8XcgCvDn-r78Ono-vrX_RdYn37nJMqw@mail.gmail.com>
Subject: Re: Restaarting PF and its effects on jails and vms
To: Arthur Chance <freebsd@qeng-ho.org>
Cc: "James B. Byrne" <byrnejb@harte-lyne.ca>,
 User Questions <freebsd-questions@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.23
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2017 09:16:48 -0000

On 24 March 2017 at 11:20, Arthur Chance <freebsd@qeng-ho.org> wrote:

> On 23/03/2017 18:29, James B. Byrne via freebsd-questions wrote:
> > I am revising the pf configuration for the FreeBSD-10.3 host of a
> > number of FreeBSD-11.0 BHyve instances. When I restart PF on the host
> > then traffic to a number of guests gets blocked even though the
> > ruleset says it should not be.
> >
> > Since the incoming ports for the blocked traffic appear to be from the
> > upper dynamic range I infer that this traffic is related to
> > connections established before PF was restarted and are now 'orphaned'
> > in consequence.  In other words, had the initial connection between
> > client anf service been made while PF was already running the traffic
> > being blocked following a restart would have been let through as being
> > part of an established connection.
> >
> > What is the recommended way of dealing with this issue when restarting
> > PF, if there is one?
>
> Don't restart pf, reload it. "service pf reload" goes to great lengths
> not to interfere with existing connections whereas "service pf restart"
> blows away everything before restarting.
>
> This is fresh in my mind because I made exactly the same mistake last
> week before remembering to reload. :-)
>

A quick one, before I get to RTFM, is there an equivalent 'reload' option
for pfctl (9.3-STABLE)?

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."