Hello everyone,
I'm crossposting this here now after on the pfsense forum there wasn't much discussion about it and I have been thinking about switching to opnsense for a while now and this would definitely make me switch. Please forgive me if there is already "improved" rule reloading in effect.
I'm currently a pfsense user and I am having some issues due to filter reloads causing temporary packet loss on routed UDP. That made me think about a different approach in how pfsense/opnsense handles rules that might be able to solve/reduce this:
Would it be possible to use anchors for IPv4/IPv6 so reloading the entire filter is not necessary, if an IPv6 Gateway goes down, IPv4 will not be affected by that. Of course this doesn't solve this entirely but it should make things better. Maybe it would be possible to go even further and use per-interface anchors to make the amounts of rules that need reloading even smaller.
What do you guys think? Would this work? Would this be a valid approach? Would this help and would this be wanted?
			
			
			
				It don't think that splitting v4 and v6 is a good idea since there are rules for v4+v6 as well and it would chnange the order of rules, so the semantic would change.
If I look at my Linux server, nftables can do an atomic replace of the ruleset. This is IMHO what PF should be able to do as well (use the old ruleset until the new one can fully replace it).
			
			
			
				It would not change the order of the rules, traffic can either be ipv4 or ipv6, so those rules can be split in 2 rules without changing the order effectively. Then you can split v4 and v6 again without affecting the order.
I know that iptables and nftables can do such a thing, but for pf I haven't found a way (yet).
			
			
			
				iptables cannot do that - you have to load the rules one by one. Nftables can replace them all in one call. This is one of the major advantages of nftables.
For your example:
V4
V4+V6
V6
V4
V4+V6
V6
This would not be possible to split into anchors if one is pass and the other one is deny and then pass again.
In the setup you describe, the rule would have to be split into two rules v6 and v4. 
			
			
			
				You could with iptables use dynamic add and remove commands, I've done that before.
For your example you would have the rule creation engine do the splitting of those rules when generating the anchor files, so when it does the ipv6 anchor it goes through all rules and looks for every ipv6 or "ipv4 and ipv6" rule and then writes it as a ipv6 only rule in the anchor. Same for IPv4. As traffic can't be both this would work and as the order within the anchors is correct, which anchor comes first doesn't really matter then. However, once you want to split it even further it gets more complicated.