On 2019/03/26 09:38, Alexandr Nedvedicky wrote:
> On Mon, Mar 25, 2019 at 10:28:40PM -0400, Ted Unangst wrote:
> > Alexandr Nedvedicky wrote:
> > > it is, however -Fall operates on main ruleset only. -Fall also does
> > > not reset limits and timeouts. Hence my first idea was to introduce
> > > '-FNuke', which kills all rulesets and tables.
> > >
> > > I don't want to change behaviour of existing option ('-Fall'),
> > > therefore
> > > I'm in favor to introduce a new option. Either '-FNuke' or '-U' works
> > > for me. I'm the most concerned about flushing all rulesets.
> >
> > Is the existing behavior intentional or an oversight? I don't know when I
> > would want to use -Fall, but keep the old timeouts, and depend on that. I'd
> > guess most people using -Fall are keeping old timeout only by happen stance,
> > and not because they desire that.
>
> I had similar question on my mind when I came to PF for the first time.
> my expectations about '-Fall' were the option removes all rules (and
> tables)
> from kernel module. But it is not the case it acts on main ruleset only.
> Given '-Fall' works like that for ages, I see changing '-Fall' to remove
> all rules as disturbing (hence I'm in favor to introduce a new option). On
> the other hand if there will be consensus to fix '-Fall' so it will remove
> all rules (not just main ruleset), then we can forget about '-U'.
>
> With '-Fall' changed, we can further fix pfctl. The proposed '-U', will
> be achieved by combination of various '-F' modifiers:
> pfctl -FA -FS -Fs -Freset
> command above should revert PF driver state back to initial.
>
> >
> > In any case, if you're seeking input on the name, something like -Freset
> > says
> > to me that it resets pf back to its initial state.
>
> I like the '-Fresst' to reset all PF settings (variables modified by
> 'set')
> back to defaults.
>
> So how people feel about changing '-Fa' to kill all rules and tables, not just
> those, which are attached to main ruleset (root)?
>
> thanks and
> regards
> sashan
>
IMHO this is a needed feature, but I agree with your hesitation about
using -Fa. This would be convenient to type, but the current documentation
for pfctl -a says:
"In addition to the main ruleset, pfctl can load and manipulate
additional rulesets by name, called anchors. The main ruleset is the
default anchor."
The wording is slightly awkward but I read this as saying the current
behaviour is intended.
There's an obvious alternative user interface for this. Currently
-a '*' is only described in conjunction with -s, but it would feel
natural to allow this to be used with -F as well, e.g.
# pfctl -a '*' -Fa
