Bridging again

[Gergo Szakal]

I think I fixed it. Here is the relevant config piece:
-------------------------------------------------------------------------
int_if=sk1
ext_if=sk0
tcp_opts="flags S/SA modulate state"
# omitting previously mentioned config options

# default block policy
block in log all
block out log all
# we just don't give a fuck here:
pass quick on {$int_if,lo0,bridge0} all
######################
# otubound 'filtering'
#####################
pass in log quick on $ext_if proto tcp from <intnet> to any keep state
pass in log quick on $ext_if proto udp from <intnet> to any keep state
########################
# inbound ports' opening
########################
# ssh
pass out log quick on $ext_if proto tcp from any to <intnet> port 22 
keep state
-------------------------------------------------------------------------

This testconfig works. What were the errors?

- it does not like the merged $tcp_opts somehow
- the directions are reversed somehow, I can recall having the same 
issues with OpenBSD 3.7. Need to physically (cables) or logically (pf 
and rc.conf) reverse the directions. :-)

I think both issues are caused by having an outdated pf in DF. I know 
it's in the works, so please do not consider this as a demanding statement.
Thanks for the hints, guys. Good ol' RTFM helped me, so did 'tcpdump 
-nettt -i pflog0'.
:-)