Messages

You could with iptables use dynamic add and remove commands, I've done that before.

For your example you would have the rule creation engine do the splitting of those rules when generating the anchor files, so when it does the ipv6 anchor it goes through all rules and looks for every ipv6 or "ipv4 and ipv6" rule and then writes it as a ipv6 only rule in the anchor. Same for IPv4. As traffic can't be both this would work and as the order within the anchors is correct, which anchor comes first doesn't really matter then. However, once you want to split it even further it gets more complicated.

It would not change the order of the rules, traffic can either be ipv4 or ipv6, so those rules can be split in 2 rules without changing the order effectively. Then you can split v4 and v6 again without affecting the order.

I know that iptables and nftables can do such a thing, but for pf I haven't found a way (yet).

Hello everyone,

I'm crossposting this here now after on the pfsense forum there wasn't much discussion about it and I have been thinking about switching to opnsense for a while now and this would definitely make me switch. Please forgive me if there is already "improved" rule reloading in effect.

I'm currently a pfsense user and I am having some issues due to filter reloads causing temporary packet loss on routed UDP. That made me think about a different approach in how pfsense/opnsense handles rules that might be able to solve/reduce this:

Would it be possible to use anchors for IPv4/IPv6 so reloading the entire filter is not necessary, if an IPv6 Gateway goes down, IPv4 will not be affected by that. Of course this doesn't solve this entirely but it should make things better. Maybe it would be possible to go even further and use per-interface anchors to make the amounts of rules that need reloading even smaller.

What do you guys think? Would this work? Would this be a valid approach? Would this help and would this be wanted?