On Thu, 22 Jul 2010 17:33:52 -0700 (PDT), Matthew Dillon <dil...@apollo.backplane.com> wrote: > :Also state keeping is working (and is now default, not due to my > :decision but it became default in OBSD 4.1 afaict). So this is ready now > :for "public" testing. I would appreciate very much if people with some > :sophisticated setup or in-depth pf knowledge could test and give some > :feedback. > > Yah, this is fine, I'll give up on trying to keep the original > style and having an option to enable it. > > However, there is one feature of the state keeping which we > implemented first and Net/OpenBSD implemented later, and > that is our 'pickups' feature, as in: > > set keep-policy keep state (pickups) > > In the pre-change DragonFly pf. Pickups needs to be the default > too, and I don't think the net/openbsd equivalent feature is. > (I don't recall what net/openbsd called their equivalent feature). > > What this flag does is allow the router running the PF rules to > be rebooted and lose its state array without causing all the > TCP connections that were active as of the time of the reboot > from getting RSTs after the reboot completes (due to lack of > information on the window scale sub-state which is only available > in the SYN/SYN+ACK sequence). I absolutely do not want the > default to be that a router reboot causes all active TCP connections > to get RST'd.
So far I can confirm that "pickups" still work on a "per rule" basis, but not as a default (by "set keep-policy keep state (pickups)"). I have tested the following setup 10.94.76.100 --ssh--> DF/PF Router --ssh--> 192.168.0.100 the ssh session survives /etc/rc.d/pf restart and a reboot of the Router. It stalls during reboot. If Router comes back up again and PF is re-enabled and you hit some keys on the client (generate traffic) you can see that the state is re-created and after some seconds the session revives. To achieve this I had to set pass out all keep state (pickups) flags any pass in proto tcp from any to any port ssh keep state (pickups) flags any ATM I think the problem with working as default is it competing against the standard default "keep state flags S/SA". This might either be "just" a parsing problem or going deeper, I don't know yet. Please let me know if you think we can live with this way of enabling this option or if I should dig deeper and try to make "set keep-policy keep state (pickups)" set the other necessary options per rule, too. Jan -- professional: http://www.oscar-consult.de private: http://neslonek.homeunix.org/drupal/
