https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=127814
longw...@incore.de changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |longw...@incore.de
--- Comment #2 from longw...@incore.de ---
I like to revise my proposal to fix pf_reload: Correct is
pfctl -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp
works like
pfctl -Fosfp.
But instead of fixing this in pfctl or the pf script, this call of pfctl should
be deleted completely. Otherwise running connections could be broken by
pf_reload. In continuation of the patch given in PR 119874 I prefer now
--- pf.orig 2015-03-13 12:00:34.000000000 +0100
+++ pf 2015-04-14 00:31:56.513032000 +0200
@@ -46,16 +46,13 @@
pf_check()
{
echo "Checking pf rules."
- $pf_program -n -f "$pf_rules"
+ $pf_program -n -f "$pf_rules" $pf_flags
}
pf_reload()
{
echo "Reloading pf rules."
- $pf_program -n -f "$pf_rules" || return 1
- # Flush everything but existing state entries that way when
- # rules are read in, it doesn't break established connections.
- $pf_program -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp >
/dev/null 2>&1
+ $pf_program -n -f "$pf_rules" $pf_flags || return 1
$pf_program -f "$pf_rules" $pf_flags
}
Further we should avoid to break connections on skipped interfaces during
reloading pf rules. The patch given in
http://lists.freebsd.org/pipermail/freebsd-pf/2013-April/006994.html
does this job and works in FreeBSD 10 too.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
