Updating PF to OpenBSD Release 4,1
Jan.Lentfer at web.de
Wed Jul 28 04:19:21 PDT 2010
On Thu, 22 Jul 2010 17:33:52 -0700 (PDT), Matthew Dillon
<dillon at apollo.backplane.com> wrote:
> :Also state keeping is working (and is now default, not due to my
> :decision but it became default in OBSD 4.1 afaict). So this is ready
> :for "public" testing. I would appreciate very much if people with some
> :sophisticated setup or in-depth pf knowledge could test and give some
> Yah, this is fine, I'll give up on trying to keep the original
> style and having an option to enable it.
> However, there is one feature of the state keeping which we
> implemented first and Net/OpenBSD implemented later, and
> that is our 'pickups' feature, as in:
> set keep-policy keep state (pickups)
> In the pre-change DragonFly pf. Pickups needs to be the default
> too, and I don't think the net/openbsd equivalent feature is.
> (I don't recall what net/openbsd called their equivalent feature).
> What this flag does is allow the router running the PF rules to
> be rebooted and lose its state array without causing all the
> TCP connections that were active as of the time of the reboot
> from getting RSTs after the reboot completes (due to lack of
> information on the window scale sub-state which is only available
> in the SYN/SYN+ACK sequence). I absolutely do not want the
> default to be that a router reboot causes all active TCP connections
> to get RST'd.
So far I can confirm that "pickups" still work on a "per rule" basis, but
not as a default (by "set keep-policy keep state (pickups)"). I have tested
the following setup
10.94.76.100 --ssh--> DF/PF Router --ssh--> 192.168.0.100
the ssh session survives /etc/rc.d/pf restart and a reboot of the Router.
It stalls during reboot. If Router comes back up again and PF is re-enabled
and you hit some keys on the client (generate traffic) you can see that the
state is re-created and after some seconds the session revives.
To achieve this I had to set
pass out all keep state (pickups) flags any
pass in proto tcp from any to any port ssh keep state (pickups) flags any
ATM I think the problem with working as default is it competing against
the standard default "keep state flags S/SA". This might either be "just" a
parsing problem or going deeper, I don't know yet.
Please let me know if you think we can live with this way of enabling this
option or if I should dig deeper and try to make "set keep-policy keep
state (pickups)" set the other necessary options per rule, too.
More information about the Kernel