Updating PF to OpenBSD Release 4,1

Jan Lentfer Jan.Lentfer at web.de
Wed Jul 28 04:19:21 PDT 2010

On Thu, 22 Jul 2010 17:33:52 -0700 (PDT), Matthew Dillon
<dillon at apollo.backplane.com> wrote:
> :Also state keeping is working (and is now default, not due to my 
> :decision but it became default in OBSD 4.1 afaict). So this is ready
> :for "public" testing. I would appreciate very much if people with some 
> :sophisticated setup or in-depth pf knowledge could test and give some 
> :feedback.
>     Yah, this is fine, I'll give up on trying to keep the original
>     style and having an option to enable it.
>     However, there is one feature of the state keeping which we
>     implemented first and Net/OpenBSD implemented later, and 
>     that is our 'pickups' feature, as in:
>     set keep-policy keep state (pickups)
>     In the pre-change DragonFly pf.  Pickups needs to be the default
>     too, and I don't think the net/openbsd equivalent feature is.
>     (I don't recall what net/openbsd called their equivalent feature).
>     What this flag does is allow the router running the PF rules to
>     be rebooted and lose its state array without causing all the
>     TCP connections that were active as of the time of the reboot
>     from getting RSTs after the reboot completes (due to lack of
>     information on the window scale sub-state which is only available
>     in the SYN/SYN+ACK sequence).  I absolutely do not want the
>     default to be that a router reboot causes all active TCP connections
>     to get RST'd.

So far I can confirm that "pickups" still work on a "per rule" basis, but
not as a default (by "set keep-policy keep state (pickups)"). I have tested
the following setup --ssh--> DF/PF Router --ssh-->

the ssh session survives /etc/rc.d/pf restart and a reboot of the Router.
It stalls during reboot. If Router comes back up again and PF is re-enabled
and you hit some keys on the client (generate traffic) you can see that the
state is re-created and after some seconds the session revives.

To achieve this I had to set
pass out all keep state (pickups) flags any
pass in proto tcp from any to any port ssh keep state (pickups) flags any

ATM I think the problem with working as default is it competing against
the standard default "keep state flags S/SA". This might either be "just" a
parsing problem or going deeper, I don't know yet.

Please let me know if you think we can live with this way of enabling this
option or if I should dig deeper and try to make "set keep-policy keep
state (pickups)" set the other necessary options per rule, too.


professional: http://www.oscar-consult.de
private: http://neslonek.homeunix.org/drupal/

More information about the Kernel mailing list