Date: Mon, 04 Mar 2013 16:47:36 +0100 From: Andreas Longwitz <longwitz@incore.de> To: freebsd-pf@freebsd.org Subject: Reloading pf rules breaks connections on lo0 Message-ID: <5134C218.6060701@incore.de>
next in thread | raw e-mail | index | archive | help
I run FreeBSD 8 Stable with pf enabled and have the line
set skip on lo0
in my /etc/pf.conf. Reloading the pf rules with
pfctl -f /etc/pf.conf
breaks any active running connections on lo0.
Example:
-> scp bigfile 127.0.0.1:bigfile.copy
bigfile 10% 96MB 10.5MB/s
01:15 ETA
Write failed: Operation not permitted
lost connection
In pflog I see
15:33:37.310320 127.0.0.1 -> 127.0.0.1 TCP 164 [block lo0/0]
ssh > 52650 [PSH, ACK] Seq=1 Ack=1 Win=8960 Len=48
15:33:37.310732 127.0.0.1 -> 127.0.0.1 TCP 14452 [block lo0/0]
52650 > ssh [ACK] Seq=1 Ack=1 Win=8960 Len=14336
15:33:37.311153 127.0.0.1 -> 127.0.0.1 TCP 2212 [block lo0/0]
52650 > ssh [FIN, PSH, ACK] Seq=14337 Ack=1 Win=8960 Len=2096
15:33:37.314473 127.0.0.1 -> 127.0.0.1 TCP 116 [block lo0/0]
ssh > 52650 [FIN, ACK] Seq=49 Ack=1 Win=8960 Len=0
I can avoid the break on active connections on lo0 using the commands
pfctl -d
pfctl -f /etc/pf.conf
pfctl -e
but this may break other things and is not what I want.
>From man pf.conf "set skip on .."
Packets passing in or out on such interfaces are passed as if pf was
disabled, i.e. pf does not process them in any way.
I think this should be true for reloading the rules too.
--
Andreas Longwitz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5134C218.6060701>