On 3 Apr 2018, at 18:06, Gleb Smirnoff wrote:
On Tue, Apr 03, 2018 at 08:49:09AM +0200, Kristof Provost wrote:
K> On 3 Apr 2018, at 0:04, Gleb Smirnoff wrote:
K> > I just want to note that this is a huge change of behaviour
K> > of pf(4) for a user. Over a decade everybody has been used
K> > to the difference between "reload" and "resync".
K>
K> There is no difference. r330105 removed the ‘$pf_program -Fnat
-Fqueue
K> -Frules -FSources -Finfo -FTables -Fosfp’ line, but this never
K> actually did what the author thought it did.
K> pfctl only ever performed the last ‘-F’, not all of them, so
all
K> this ever did was flush the OS fingerprints information. Clearly
K> that’s not what was intended.
K>
K> pf never actually breaks existing connections, because existing
states
K> keep using the rule that created them, regardless of the current
rules.
K> It wouldn’t have broken connections with resync either. A
K> ‘restart’ will, because ‘start’ does ‘pfctl -F all’.
K>
K> If the flush had actually done what was intended it’d arguably
have
K> been a security issue, because reloading rules would then (briefly)
open
K> the firewall, allowing all traffic to pass and establish state.
Hmm, may be I am wrong, but back when I was actively working with pf,
the "reload" command would break the ssh connection I am using, so
I have taught myself to use "resync".
Apparently reload used to have a ‘${pf_program:-/sbin/pfctl} -Fa’,
which would have flushed everything and killed your connection.
That was removed back in 2005 (April 4th, so pretty much exactly 13
years ago), and replaced by the erroneous ‘-Fnat -Fqueue -Frules
-FSources -Finfo -FTables -Fosfp’ version.
Regards,
Kristof
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
