Bug #4087
closed
Rule reload doesn't update FQDN entries in pf tables
Added by Volker Kuhlmann over 9 years ago.
Updated over 9 years ago.
Affected Architecture:
amd64
Description
pf tables can be populated from FQDNs through pfsense aliases. This is a very good feature for a number of reasons. The IP address(es) looked up from the FQDN are updated periodically, which is good.
However the FQDNs are not re-evaluated and pf tables are not updated after applying changes to the aliases or filter rules, creating confusion when setting up rules. In connection with bug#4086 using FQDNs becomes impossible.
Re-evaluation and FQDNs and update of their IP addresses should happen as part of a rule reload. This would be behaviour expected by the user.
- Status changed from New to Rejected
Nor should they be. They're updated in the background by filterdns when the TTL expires. It's pointless to do another DNS lookup until the TTL expires, as you're just wasting cycles - it's going to be the same answer from DNS cache. If you need hostname changes to be quickly reflected with anything, you need a low TTL.
You have missed the problem. I am not interested in new DNS lookups.
The problem is that THE ENTRIES CORRESPONDING TO FQDNs IN ALIASES ARE ABSENT FROM pfctl -T show -t xyz. I want them to be in there immediately I apply a rule change, or not to be removed in the first place. I might have changed a rule in an area that has absolutely nothing to do with the alias that suddenly has most of its entries missing (silently, what's more). That's pretty useless as far as I am concerned.
Oh, that's a bug with network-type aliases and FQDNs if you mix networks in with them. That's fixed in 2.2, there's a resolved ticket for that somewhere.
It occurred to me after turning the computer off well after midnight that you might have been referring to the "TTL" field for URL and URL-table type aliases (nifty feature but haven't yet used it). Perhaps call it "update period" instead?
I am having problems with FQDN in host and network type aliases. Apologies for overlooking that this could be a majorly relevant factor. I maintain current behaviour is a bug, thank you if it is fixed in 2.2. I didn't find that ticket.
Is there a way to force an update from the command line? Thanks.
Is there a way to sun a command that does an update immediately?
filterdns is run as
/usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1
and expects a config file as minimum argument.
However it always starts up a new instance that keeps running. Is it possible to tell it to terminate after one update iteration, or do I need to write a script that kills it after 10 seconds? Thanks.
this isn't a place for such discussions, please post to the forum or list.
If you say so. Usually finding a workaround to a bug while the bug is being fixed is part of dealing with the bug.
there is no bug here, that's why.
Also available in: Atom
PDF
Updated by 
Updated by