On Wed, 2 Jan 2008, Daniel Hartmeier wrote:
pfctl -f /etc/pf.conf alone does precisely what you want: load the new ruleset, and when it is loaded successfully, switch the old and new rulesets, releasing the old one. It does this in an "atomic" operation, in between two packets being filtered. The first packet is still filtered by the full old ruleset, the second packet (and all subsequent packets, of course) by the full new ruleset.
Thanks so much for this tidbit...
I don't know why people use the -Fr -f combination. Is it a left-over from IPFilter days? Were you assuming a -f alone would do something else? Like what, append the file, duplicating the rules? :)
I developed the flush then read config habit while using ipf and never bothered to dig into whether pf needed this or not. I don't even remember why I did it under ipf, but I seem to recall it was necessary.
I'm passing the above info on to all my pf-using friends. :) Thanks, Charles
Daniel
