If adding "set skip on wg0" in pf.conf, the rule persists and seemingly can't be removed when loading new rules without this skip line. Using FreeBSD 14.1-RELEASE-p3 GENERIC amd64 The top of my pf.conf: ## Don't filter on loopback interface set skip on lo0 set skip on wg0 # pfctl -v -s Interfaces No ALTQ support in kernel ALTQ related functions disabled all lo lo0 (skip) pflog pflog0 vtnet0 wg wg0 (skip) Removed skip on wg0 as I got the rules in place I wanted and reloaded but they did not have any effect, as skip on wg0 was still in place. No errors in the rules preventing them from updating: # pfctl -nf /etc/pf.conf # pfctl -f /etc/pf.conf # pfctl -v -s Interfaces No ALTQ support in kernel ALTQ related functions disabled all lo lo0 (skip) pflog pflog0 vtnet0 wg wg0 (skip)
FYI, pfctl -Fall -f /etc/pf.conf seems to do the trick
Created attachment 252785 [details] add agrs to allow interface flag clearing Not sure if notionally and functionally this is correct. But if you have something like --- /tmp/pf.conf.on 2024-08-15 16:06:15.950332000 -0400 +++ /tmp/pf.conf.off 2024-08-15 16:06:18.927081000 -0400 @@ -1,4 +1,4 @@ -set skip on lo0 +#set skip on lo0 it seems to work 1{july04apu}# pfctl -f /tmp/pf.conf.on 0{july04apu}# pfctl -v -s Interfaces No ALTQ support in kernel ALTQ related functions disabled all bridge bridge0 igc0 igc1 igc2 igc3 lo lo0 (skip) pflog pflog0 tap tap0 0{july04apu}# pfctl -f /tmp/pf.conf.o pf.conf.off pf.conf.on 0{july04apu}# pfctl -f /tmp/pf.conf.off 0{july04apu}# pfctl -v -s Interfaces No ALTQ support in kernel ALTQ related functions disabled all bridge bridge0 igc0 igc1 igc2 igc3 lo lo0 (skip) pflog pflog0 tap tap0 0{july04apu}# pfctl -FInterfaces pf: interface flags reset 0{july04apu}# 0{july04apu}# pfctl -v -s Interfaces No ALTQ support in kernel ALTQ related functions disabled all bridge bridge0 igc0 igc1 igc2 igc3 lo lo0 pflog pflog0 tap tap0 0{july04apu}#
(In reply to mike from comment #1) Thank you, pfctl -F all -f /etc/pf.conf did indeed work, so that is good to know about. It did freeze my connection to the server though so I had to reconnect
(In reply to Lorange from comment #3) You have to reconnect as it flushes all the existing states, so its expected. I had a look at the OpenBSD src and they dont allow flushing just the interface flags either, so there might be good reasons why you dont want to do just that and it has to be in conjunction with a -F all.
Sigh. set skip is the gift that keeps on giving. Try this: https://reviews.freebsd.org/D46311
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=6a88e22728d285c4df17216515ce2b8d1e5a6835 commit 6a88e22728d285c4df17216515ce2b8d1e5a6835 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2024-08-16 12:55:31 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2024-08-19 16:02:15 +0000 pfctl: pfik_ifp is always NULL The pfik_ifp field is not provided by the kernel, it is always NULL. Do not check for it. This caused us to not clear the skip flag on interfaces, leading to unexpected behaviour when a 'set skip' was removed. PR: 280834 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D46311 sbin/pfctl/pfctl.c | 7 +---- tests/sys/netpfil/pf/set_skip.sh | 61 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 6 deletions(-)