Bug #4087
closed
Rule reload doesn't update FQDN entries in pf tables
0%
Description
pf tables can be populated from FQDNs through pfsense aliases. This is a very good feature for a number of reasons. The IP address(es) looked up from the FQDN are updated periodically, which is good.
However the FQDNs are not re-evaluated and pf tables are not updated after applying changes to the aliases or filter rules, creating confusion when setting up rules. In connection with bug#4086 using FQDNs becomes impossible.
Re-evaluation and FQDNs and update of their IP addresses should happen as part of a rule reload. This would be behaviour expected by the user.
Updated by Chris Buechler over 9 years ago
- Status changed from New to Rejected
Nor should they be. They're updated in the background by filterdns when the TTL expires. It's pointless to do another DNS lookup until the TTL expires, as you're just wasting cycles - it's going to be the same answer from DNS cache. If you need hostname changes to be quickly reflected with anything, you need a low TTL.
Updated by Volker Kuhlmann over 9 years ago
You have missed the problem. I am not interested in new DNS lookups.
The problem is that THE ENTRIES CORRESPONDING TO FQDNs IN ALIASES ARE ABSENT FROM pfctl -T show -t xyz. I want them to be in there immediately I apply a rule change, or not to be removed in the first place. I might have changed a rule in an area that has absolutely nothing to do with the alias that suddenly has most of its entries missing (silently, what's more). That's pretty useless as far as I am concerned.
Updated by Chris Buechler over 9 years ago
Oh, that's a bug with network-type aliases and FQDNs if you mix networks in with them. That's fixed in 2.2, there's a resolved ticket for that somewhere.
Updated by Volker Kuhlmann over 9 years ago
It occurred to me after turning the computer off well after midnight that you might have been referring to the "TTL" field for URL and URL-table type aliases (nifty feature but haven't yet used it). Perhaps call it "update period" instead?
I am having problems with FQDN in host and network type aliases. Apologies for overlooking that this could be a majorly relevant factor. I maintain current behaviour is a bug, thank you if it is fixed in 2.2. I didn't find that ticket.
Is there a way to force an update from the command line? Thanks.
Updated by Volker Kuhlmann over 9 years ago
Is there a way to sun a command that does an update immediately?
filterdns is run as
/usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1
and expects a config file as minimum argument.
However it always starts up a new instance that keeps running. Is it possible to tell it to terminate after one update iteration, or do I need to write a script that kills it after 10 seconds? Thanks.
Updated by Chris Buechler over 9 years ago
this isn't a place for such discussions, please post to the forum or list.
Updated by Volker Kuhlmann over 9 years ago
If you say so. Usually finding a workaround to a bug while the bug is being fixed is part of dealing with the bug.