cvs commit: src/sys/net/pf if_pfsync.c pf.c pf_ioctl.c pfvar.h src/usr.sbin/pfctl parse.y pf.conf.5 pf_print_state.c pfctl_parser.c pfctl_parser.h

Matthew Dillon dillon at
Fri Apr 11 11:23:32 PDT 2008

dillon      2008/04/11 11:21:49 PDT

DragonFly src repository

  Modified files:
    sys/net/pf           if_pfsync.c pf.c pf_ioctl.c pfvar.h 
    usr.sbin/pfctl       parse.y pf.conf.5 pf_print_state.c 
                         pfctl_parser.c pfctl_parser.h 
  Implement a number of major new features to PF.
  * Implement several new options to keep/modulate/synproxy state.
    'pickups', 'no-pickups', and 'hash-only'.  Example:
      pass on $ext_if inet from any to any keep state (pickups)
  * Implement a SET directive to set the default keep policy.  Example:
      set keep-policy keep state (pickups)
      pass on $ext_if inet from any to any
  * Implement the 'no state' phrase for rules, disabling any previously
    specified default state policy for that rule (ala OpenBSD).
  'pickups' and 'hash-only' imply no flag restrictions, no-pickups implies
  flags S/SA.  When pickups are enabled the state code will re-establish state
  for existing TCP connections.  Because the tcp options passed in the SYNs
  are not known when this occurs, sequence space checking will be disabled
  for those connections.  The 'hash-only' mode allows pickups but disables
  sequence space checking regardless of whether the SYN packets were observed
  or not.
  The state code no longer attempts to do sequence space checking if it has
  no information on TCP options passed in SYN packets.  The SYN from both
  ends must be observed for sequence space checking to occur (which is what
  happens by default due to flag restrictions).
  It should be noted that OpenBSD defaults to 'keep state' with the equivalent
  of no-pickups.  The problem with this is that rebooting you router or
  otherwise losing state will cause existing TCP connections to be reset,
  and I do not think this is an appropriate default for PF.  DragonFly does
  not default to using keep state but introduces the global SET directive
  to allow it to be enabled by default.
  Finally, note that when using pickups or hash-only, if you desire PF to
  not drop TCP connections on loss of state you need to have a few more
  rules then usual to pickup on packets going the opposite direction.
  For example, if you allow outgoing connections then you ALSO have to keep
  state on INCOMING packets with 'flags /S' (i.e. 'established') in order
  to ensure that active connections can be re-established on loss of state
  by packets in either direction.
  This isn't too bad since anyone using queueing has to use multiple rule
  sets anyway to ensure that state is established on the proper queue.
  In anycase, DragonFly now allows you to pick your poison.  One global SET
  directive and you can use OpenBSD's policy, or you can make your own.
  In-consultation-with: Max Laier <max at>
  Revision  Changes    Path
  1.7       +2 -0      src/sys/net/pf/if_pfsync.c
  1.18      +79 -14    src/sys/net/pf/pf.c
  1.14      +1 -0      src/sys/net/pf/pf_ioctl.c
  1.8       +13 -0     src/sys/net/pf/pfvar.h
  1.5       +93 -6     src/usr.sbin/pfctl/parse.y
  1.13      +80 -2     src/usr.sbin/pfctl/pf.conf.5
  1.3       +12 -1     src/usr.sbin/pfctl/pf_print_state.c
  1.3       +25 -2     src/usr.sbin/pfctl/pfctl_parser.c
  1.3       +1 -1      src/usr.sbin/pfctl/pfctl_parser.h

More information about the Commits mailing list