Greetings:

in /etc/cron.d
refresh.apf -> /etc/apf/internals/cron.refresh

cat /etc/apf/internals/cron.refresh
MAILTO=
SHELL=/bin/bash
*/10 * * * * root /etc/apf/apf --refresh >> /dev/null 2>&1 &


Does the refresh in APF turn off iptables or otherwise interfere with blocked ip addresses?

Meaning, if an IP is blocked, and the refresh takes place, if the IP is constantly trying to get in, can it get in during a refresh?

Thank you.

There is indeed a brief window in which one can get packets through the firewall during a refresh, this however is a very small window and any persistent connections established would immediately be terminated/timed out when the rules complete loading. This is however also why the drop rules are auto trimmed by default to the last 150 entries, making it even more of a race condition to take advantage of as the drop rules reload typically in 1s<.

On a random server, with mix of hostnames and ip addresses banned in deny_hosts, a total of 134 drop rules - the refresh function completes in less than 1 second:
real 0m0.540s
user 0m0.145s
sys 0m0.399s

I will however review the appropriate functions and see if i can come up with a method of improving this. At a glance, I could add the existing drop rules to a temporary chain rule, then drop the standard trust rule chains, repopulate them with updated rules then drop the temporary chain containing the old drop rules as the last step, this would inherently keep any existing bans from having an opportunity at penetrating the firewall.

Done.
[Change] refresh function now stores old rules in temporary chain while new
rules load, temporary chain is cleared upon completion of function

and up in the release version of APF.

Greetings Ryan:

Awesome news; thank you very much.

I will try to get some updates done this weekend.

May you and your family have a Merry Christmas and a Happy New Year.