On Tue, Apr 02, 2019 at 02:01:05PM +0200, Alexandr Nedvedicky wrote:
> I think Petr is right here. my patch requires yet another finishing touch:
Fair enough, but it should be noted that this somewhat changes behaviour
of the existing interface:
> --------8<---------------8<---------------8<------------------8<--------
> diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
> index 40929d90530..032fdd08b57 100644
> --- a/sbin/pfctl/pfctl.c
> +++ b/sbin/pfctl/pfctl.c
> @@ -2267,6 +2267,8 @@ pfctl_reset(int dev, int opts)
>
> if (pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
> warn("%s, DIOCXCOMMIT", __func__);
> +
> + pfctl_clear_interface_flags(dev, opts);
Now this is done with `-F reset' and therefore `-F all'...
> }
>
> int
> @@ -2594,7 +2596,6 @@ main(int argc, char *argv[])
> pfctl_clear_src_nodes(dev, opts);
> pfctl_clear_stats(dev, ifaceopt, opts);
> pfctl_clear_fingerprints(dev, opts);
> - pfctl_clear_interface_flags(dev, opts);
Where previously, without being documented, only `-F all' would do so.
> pfctl_reset(dev, opts);
> }
I think that is fine in this particular case, but clearing things in
specific flush commands that were previously only touched by the `all'
hammer can be dangerous.
