[Bug 127814] [pf] The flush in pf_reload in /etc/rc.d/pf does not work as intended

Mon Apr 13 22:51:27 UTC 2015

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=127814

longwitz at incore.de changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |longwitz at incore.de

--- Comment #2 from longwitz at incore.de ---
I like to revise my proposal to fix pf_reload: Correct is
  pfctl -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp
works like 
  pfctl -Fosfp.
But instead of fixing this in pfctl or the pf script, this call of pfctl should
be deleted completely. Otherwise running connections could be broken by
pf_reload. In continuation of the patch given in PR 119874 I prefer now

--- pf.orig     2015-03-13 12:00:34.000000000 +0100
+++ pf  2015-04-14 00:31:56.513032000 +0200
@@ -46,16 +46,13 @@
 pf_check()
 {
        echo "Checking pf rules."
-       $pf_program -n -f "$pf_rules"
+       $pf_program -n -f "$pf_rules" $pf_flags
 }

 pf_reload()
 {
        echo "Reloading pf rules."
-       $pf_program -n -f "$pf_rules" || return 1
-       # Flush everything but existing state entries that way when
-       # rules are read in, it doesn't break established connections.
-       $pf_program -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp >
/dev/null 2>&1
+       $pf_program -n -f "$pf_rules" $pf_flags || return 1
        $pf_program -f "$pf_rules" $pf_flags
 }

Further we should avoid to break connections on skipped interfaces during
reloading pf rules. The patch given in 
   http://lists.freebsd.org/pipermail/freebsd-pf/2013-April/006994.html
does this job and works in FreeBSD 10 too.

-- 
You are receiving this mail because:
You are the assignee for the bug.
