[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Optimizing rules.

On Sun, Dec 08, 2002 at 07:43:37PM -0300, Alejandro G. Belluscio wrote:
> Actually, I don't have such a huge ruleset, but was worried about the
> time pf has no rules (-Fa) to when it actually loads them. BTW, does
> it starts to filter with the rules coming or waits for the whole
> thing? I'm thinking here when you have somenone doing some kind of
> attack on some resource and you want to ban that IP. Until today (now
> we have anchor points) you should either risk that seconds of
> reloading of stop forwarding pakets, load, forward again. Isn't a two
> rule set system, like ipf desirable for this situations?
The kernel already has two rule sets, the active one and an inactive
one. When you load a (potentially large) rule set with pfctl -f, pfctl
calls one ioctl to get a lock on the inactive rule set, which is then
cleared. Then pfctl adds the rules one by one through individual ioctls.
This can take a couple of seconds, if there are many rules. During all
of this time, the previous rule set is still unchanged and active,
nothing passes unfiltered because pfctl is adding to the inactive rule
set. After the last new rule has been added, pfctl issues a final ioctl
to atomically switch the active and inactive rule sets, thereby
activating the newly loaded rule set.
Any packet that passes through the firewall is either filtered fully by
the old rule set, or fully by the new one. Reloading the rule set does
not interrupt forwarding or pass packets unfiltered.