PF reset existing connections on 10.0-RELEASE/sparc64

N

NE

Hi,

Consider this very simple PF configuration, on a multi-NIC machine but with only bge0 as active (others are even not connected):
Code: 
set block-policy return
set skip on lo0
block all
pass in on bge0
pass out on bge0
When on sparc64 and starting the PF service using service pf start, ie (/sbin/pfctl -F all; /sbin/pfctl -f /etc/pf.conf; /sbin/pfctl -eq), existing TCP connexions are reset. The block-policy statement only helps to face the Reset immediately, but it also occurs without it.
This does not happen with the very same rules and the same bge driver with a 10.0-RELEASE/i386 machine.
Any hint ?
 
Re: pf reset existing connexions on 10.0-RELEASE/sparc64

More on this: when pf is disabled, TCP connections are reset on activation, ie /sbin/pfctl -e, but once enabled, TCP connections are *not* reset on reload (ie on /sbin/pfctl -f /etc/pf.conf)
 
This is a well-known behavior. You should start pf at boot time ( pf_enable="YES" in rc.conf) and never enable/disable it again (unless you know what you are doing). I use pfctl -nf /etc/pf.conf to test the rules and pfctl -mf /etc/pf.conf to merge them in.
 
I'm quite surprised since it works on i386 and I didn't see anything about that anywhere, but ok
And thanks for the merge tip.
 
NE said:
I'm quite surprised since it works on i386 and I didn't see anything about that anywhere, but ok
And thanks for the merge tip.
Click to expand...

This behavior is the same on amd64 and was the same on i386 as far as I can remember. Frankly I wouldn't consider this behavior as platform dependent. I'd consider it as a feature actually.

During the time when PF is disabled there are no connection states being tracked by the system. Then, after you enable PF, there's no way of knowing which state is OK to keep and which is not. Therefore you have to drop all connections, apply config, and start the track of states.
However when PF is running states are tracked. If you reload the configuration system knows the states and can act accordingly.
 
You must log in or register to reply here.
Back
Top