On Sun, Dec 08, 2002 at 07:43:37PM -0300, Alejandro G. Belluscio wrote: > Actually, I don't have such a huge ruleset, but was worried about the > time pf has no rules (-Fa) to when it actually loads them. BTW, does > it starts to filter with the rules coming or waits for the whole > thing? I'm thinking here when you have somenone doing some kind of > attack on some resource and you want to ban that IP. Until today (now > we have anchor points) you should either risk that seconds of > reloading of stop forwarding pakets, load, forward again. Isn't a two > rule set system, like ipf desirable for this situations?
The kernel already has two rule sets, the active one and an inactive one. When you load a (potentially large) rule set with pfctl -f, pfctl calls one ioctl to get a lock on the inactive rule set, which is then cleared. Then pfctl adds the rules one by one through individual ioctls. This can take a couple of seconds, if there are many rules. During all of this time, the previous rule set is still unchanged and active, nothing passes unfiltered because pfctl is adding to the inactive rule set. After the last new rule has been added, pfctl issues a final ioctl to atomically switch the active and inactive rule sets, thereby activating the newly loaded rule set. Any packet that passes through the firewall is either filtered fully by the old rule set, or fully by the new one. Reloading the rule set does not interrupt forwarding or pass packets unfiltered. Daniel
