On Wed, 16 Feb 2011, Kevin Chadwick wrote: > From: Kevin Chadwick <ma1l1i...@yahoo.co.uk> > To: misc@openbsd.org > Date: Wed, 16 Feb 2011 14:27:08 > Subject: Re: route flush and sh /etc/netstart not enough? > > On Wed, 16 Feb 2011 14:47:39 +0100 > Henning Brauer wrote: > > > indeed. > > hmmm, it's bugging me where I read that there was a window. I have > a memory that it was quite an authoritive source but I guess not. > > Anyway, cool to know now.
This is quite clearly covered in Peter Hansteen's online PF tutorial. To quote from: http://home.nuug.no/~peter/pf/en/stricter.html Under any circumstances the last valid rule set loaded will be in force until you either disable PF or load a new rule set. That is worth noting: When loading a new rule set, the last valid rule set stays loaded until the new one is fully parsed and loaded, and PF switches directly from one to the other. There is no intermediate stage with no rules loaded or a mixture of the two rule sets. This is also explained quite early in both editions of his book. On page 14 in the first edition, page 21 in the second edition. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101
