214613 – Reloading pf rules breaks connections on lo0

Bug 214613 - Reloading pf rules breaks connections on lo0

Summary: Reloading pf rules breaks connections on lo0

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	10.3-STABLE
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	freebsd-pf (Nobody)

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2016-11-17 21:21 UTC by longwitz
Modified:	2018-05-03 17:05 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
patch against FreeBSD 10 Stable r308323 (2.27 KB, text/plain) 2016-11-17 21:21 UTC, longwitz	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description longwitz 2016-11-17 21:21:19 UTC

Created attachment 177126 [details]
patch against FreeBSD 10 Stable r308323

With the line "set skip on lo0" in /etc/pf.conf reloading the pf rules with "pfctl -f /etc/pf.conf" breaks any active running connections on lo0.

Example:
scp bigfile 127.0.0.1:/var/tmp/bigfile
bigfile                                34%  345MB  86.4MB/s   00:07 ETAF
ssh_packet_write_poll: Connection to 127.0.0.1 port 22: Permission denied
lost connection

This problem is long standing and discussed in
lists.freebsd.org/pipermail/freebsd-pf/2013-March/006961.html,
the attached patch is adapted from 
lists.freebsd.org/pipermail/freebsd-pf/2013-April/006994.html.

Comment 1 commit-hook freebsd_committer

2018-04-28 13:17:21 UTC

A commit references this bug:

Author: kp
Date: Sat Apr 28 13:16:59 UTC 2018
New revision: 333084
URL: https://svnweb.freebsd.org/changeset/base/333084

Log:
  pfctl: Don't break connections on skipped interfaces on reload

  On reload we used to first flush everything, including the list of skipped
  interfaces.  This can lead to termination of these connections if they send
  packets before the new configuration is applied.

  Note that this doesn't currently happen on 12 or 11, because of special EACCES
  handling introduced in r315514. This special behaviour in tcp_output() may
  change, hence the fix in pfctl.

  PR:		214613

Changes:
  head/sbin/pfctl/pfctl.c

Comment 2 commit-hook freebsd_committer

2018-05-02 20:15:42 UTC

A commit references this bug:

Author: kp
Date: Wed May  2 20:15:02 UTC 2018
New revision: 333181
URL: https://svnweb.freebsd.org/changeset/base/333181

Log:
  MFC r333084:

  pfctl: Don't break connections on skipped interfaces on reload

  On reload we used to first flush everything, including the list of skipped
  interfaces.  This can lead to termination of these connections if they send
  packets before the new configuration is applied.

  Note that this doesn't currently happen on 12 or 11, because of special EACCES
  handling introduced in r315514. This special behaviour in tcp_output() may
  change, hence the fix in pfctl.

  PR:		214613
  Submitted by:	Andreas Longwitz <longwitz at incore.de>

Changes:
_U  stable/11/
  stable/11/sbin/pfctl/pfctl.c

Comment 3 commit-hook freebsd_committer

2018-05-02 22:36:40 UTC

A commit references this bug:

Author: kp
Date: Wed May  2 22:36:11 UTC 2018
New revision: 333187
URL: https://svnweb.freebsd.org/changeset/base/333187

Log:
  MFC r333084:

  pfctl: Don't break connections on skipped interfaces on reload

  On reload we used to first flush everything, including the list of skipped
  interfaces.  This can lead to termination of these connections if they send
  packets before the new configuration is applied.

  Note that this doesn't currently happen on 12 or 11, because of special EACCES
  handling introduced in r315514. This special behaviour in tcp_output() may
  change, hence the fix in pfctl.

  PR:		214613
  Submitted by:	Andreas Longwitz <longwitz at incore.de>

Changes:
_U  stable/10/
  stable/10/sbin/pfctl/pfctl.c