On Fri, 12 Mar 2021 14:06:22 +0100 "Kristof Provost" <k...@freebsd.org> wrote:
Hello, > On 12 Mar 2021, at 14:00, Patrick Lamaiziere wrote: > > I've read the code of pfctl a bit. If pfctl crashes in > > pfctl_optimize_ruleset, is there a risk to leave pf in a bad state ? > > Looks like the rules are sent to pf via ioctl after the > > optimization so a crash before should be harmless (?). > > > That should be the case, yes. > > I’ve not checked the pfctl code to see if it actually starts the > operation to change the rules or not, but either way, pf rule changes > are atomic. > They either succeed completely or not at all. > > Pf accomplishes this by keeping an active and inactive ruleset, and > when you load new rules pfctl will start a transaction (DIOCXBEGIN), > add the complete new ruleset (DIOCADDRULE) and only then commit to > swapping the active and inactive rulesets (DIOCXCOMMIT). Ok thanks a lot Kristof. So I don't have any explanation for my problem. We will check that the firewalls filter out some trafic, stop ip forwarding if not and try to gather more informations. Best regards. _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
