On Sun, Mar 24, 2019 at 09:51:13AM +0100, Denis Fondras wrote:
> On Sun, Mar 24, 2019 at 09:24:34AM +0100, Alexandr Nedvedicky wrote:
> > I think all the above calls for a new standalone option, which I named as
> > 'Unconfigure'. Patch below suggest unconfigure behavior for PF.
> > Doing 'pfctl -U' will bring PF back to its initial state (e.g. right before
> > pf.conf got processed during the system boot). In case of PF the proposed -U
> > will do following:
> > - remove all rulesets and tables
> > - remove all states and source nodes
> > - remove all OS fingerprints
> > - set all limits, timeouts and options to their defaults
> >
>
> Isn't -U pretty close to -Fall ?
>
it is, however -Fall operates on main ruleset only. -Fall also does
not reset limits and timeouts. Hence my first idea was to introduce
'-FNuke', which kills all rulesets and tables.
I don't want to change behaviour of existing option ('-Fall'), therefore
I'm in favor to introduce a new option. Either '-FNuke' or '-U' works
for me. I'm the most concerned about flushing all rulesets.
Also making "pfctl -a '_1/_2' -Fr" to remove PF 'private' rulesets works
for me. Actually this is the most important thing I'd like to achieve.
sashan
