Bug 86752

Summary: [pf] pf does not use default timeouts when reloading config file
Product: Base System Reporter: Vladimir Kotal <vlada>
Component: kernAssignee: freebsd-pf (Nobody) <pf>
Status: Closed FIXED    
Severity: Affects Only Me CC: cmb, kp
Priority: Normal    
Version: 5.4-RELEASE   
Hardware: Any   
OS: Any   

Description Vladimir Kotal 2005-09-30 10:40:15 UTC 
      after setting custom timeout values in pf.conf and reloading the config and then commenting out/deleting the lines with timeout settings, the setting remain set.

How-To-Repeat: 1. set timeout value. e.g. by using following pf.conf line:
   set timeout tcp.closed 60
2. display timeout setting via 'pfctl -s timeout | grep tcp.closed'
3. reload pf configuration via 'pfctl -f /etc/pf.conf'
4. remove or comment out the line set in step 1
5. reload pf configuration
6. display tcp.closed timeout (as in step 2)

expected behavior:
after step 6, tcp.closed timeout should be set to default value
(as seen in step 2)
Comment 1 Vladimir Kotal 2005-10-04 19:38:10 UTC 
This problem can be fixed by applying following patch:
   http://techie.devnull.cz/public/patches/pfctl-timeout.patch

which makes behavior of options consistent with behavior of rules 
(within pf.conf).

This means that global timeout settings will be applied only when 
ruleset is parsed successfully (which is not happening in current pf 
implementation) and also when lines with global timeout settings (or 
optimization lines) are removed, default timeout settings are restored. 
(also not happening in current pf implem.)
Comment 2 Tilman Keskinoz freebsd_committer freebsd_triage 2005-10-05 19:01:32 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-pf

Over to pf Mailinglist
Comment 3 Max Laier 2005-10-09 02:07:30 UTC 
This problem has been addressed in OpenBSD by the following commit in a clean 
fashion: 
http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/pfctl/pfctl.c#rev1.231

I will look at bringing this back into RELENG_6 after importing OpenBSD 3.8 to 
HEAD.  Meanwhile, as this is not a critical problem, I'd like to avoid 
creating large diffs against the vendor branch.

Thanks for the report.

-- 
  Max
Comment 4 mlaier freebsd_committer freebsd_triage 2005-10-09 02:11:24 UTC 
State Changed
From-To: open->analyzed

Import OpenBSD's solution later.
Comment 5 mlaier freebsd_committer freebsd_triage 2005-10-09 02:11:24 UTC 
Responsible Changed
From-To: freebsd-pf->mlaier

Over to my TODO stack.
Comment 6 Mark Linimon freebsd_committer freebsd_triage 2013-07-03 01:50:32 UTC 
State Changed
From-To: analyzed->analyzed

commit bit has been taken in for safekeeping.
Comment 7 Mark Linimon freebsd_committer freebsd_triage 2013-07-03 01:50:32 UTC 
Responsible Changed
From-To: mlaier->freebsd-pf
Comment 8 cmb 2015-12-12 05:04:00 UTC 
This was fixed some time ago, should be closed. 

Starting at default timeouts (none specified in pf.conf). 
# pfctl -s timeout|grep tcp.closed
tcp.closed                   90s

Add "set timeout tcp.closed 60" to pf.conf and reload it. 
# pfctl -s timeout|grep tcp.closed
tcp.closed                   60s

Then remove that line from pf.conf and 'pfctl -f /etc/pf.conf' and you're back to the default. 
# pfctl -s timeout|grep tcp.closed
tcp.closed                   90s
Comment 9 Kristof Provost freebsd_committer freebsd_triage 2015-12-12 11:56:15 UTC 
Closing based on the report in comment #8.
mlaier@ imported the openbsd fix back in r145840.