On Tue, Apr 03, 2018 at 08:49:09AM +0200, Kristof Provost wrote: K> On 3 Apr 2018, at 0:04, Gleb Smirnoff wrote: K> > I just want to note that this is a huge change of behaviour K> > of pf(4) for a user. Over a decade everybody has been used K> > to the difference between "reload" and "resync". K> K> There is no difference. r330105 removed the ‘$pf_program -Fnat -Fqueue K> -Frules -FSources -Finfo -FTables -Fosfp’ line, but this never K> actually did what the author thought it did. K> pfctl only ever performed the last ‘-F’, not all of them, so all K> this ever did was flush the OS fingerprints information. Clearly K> that’s not what was intended. K> K> pf never actually breaks existing connections, because existing states K> keep using the rule that created them, regardless of the current rules. K> It wouldn’t have broken connections with resync either. A K> ‘restart’ will, because ‘start’ does ‘pfctl -F all’. K> K> If the flush had actually done what was intended it’d arguably have K> been a security issue, because reloading rules would then (briefly) open K> the firewall, allowing all traffic to pass and establish state.
Hmm, may be I am wrong, but back when I was actively working with pf, the "reload" command would break the ssh connection I am using, so I have taught myself to use "resync". If I am wrong, please go forward :) -- Gleb Smirnoff _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
