pfSense

Sometimes a filter reload takes place even when there hasn't been a configuration change to it. Most prominently this happens when schedules are used since this forces the filter to reload every 15 minutes. These filter reloads can result in short interruptions to traffic flow especially with very large pf configurations. To mitigate this behavior the filter sync process can be more deliberate about when the filter is reloaded, namely it should only do so when the pf configuration has changed.

There are multiple ways for the pf configuration to potentially change outside of the configuration file used by pfSense (/tmp/rules.debug). Rules can be loaded into anchors, there can be file includes, and table contents may be modified separately. Since currently all the configuration ultimately ends up in /tmp/rules.debug then we can simply check for differences between the file, loaded ruleset in pf, and the new ruleset to be saved/loaded. Currently table contents are modified separately from the reload process and hence are not affected.