On Mon, Mar 25, 2019 at 10:28:40PM -0400, Ted Unangst wrote:
> Alexandr Nedvedicky wrote:
> > it is, however -Fall operates on main ruleset only. -Fall also does
> > not reset limits and timeouts. Hence my first idea was to introduce
> > '-FNuke', which kills all rulesets and tables.
> >
> > I don't want to change behaviour of existing option ('-Fall'), therefore
> > I'm in favor to introduce a new option. Either '-FNuke' or '-U' works
> > for me. I'm the most concerned about flushing all rulesets.
>
> Is the existing behavior intentional or an oversight? I don't know when I
> would want to use -Fall, but keep the old timeouts, and depend on that. I'd
> guess most people using -Fall are keeping old timeout only by happen stance,
> and not because they desire that.
I had similar question on my mind when I came to PF for the first time.
my expectations about '-Fall' were the option removes all rules (and tables)
from kernel module. But it is not the case it acts on main ruleset only.
Given '-Fall' works like that for ages, I see changing '-Fall' to remove
all rules as disturbing (hence I'm in favor to introduce a new option). On
the other hand if there will be consensus to fix '-Fall' so it will remove
all rules (not just main ruleset), then we can forget about '-U'.
With '-Fall' changed, we can further fix pfctl. The proposed '-U', will
be achieved by combination of various '-F' modifiers:
pfctl -FA -FS -Fs -Freset
command above should revert PF driver state back to initial.
>
> In any case, if you're seeking input on the name, something like -Freset says
> to me that it resets pf back to its initial state.
I like the '-Fresst' to reset all PF settings (variables modified by 'set')
back to defaults.
So how people feel about changing '-Fa' to kill all rules and tables, not just
those, which are attached to main ruleset (root)?
thanks and
regards
sashan
