I am trying to migrate from ipf (in OpenBSD 2.8) to pf (in OpenBSD 3.4). I am having a lot of trouble with my ruleset which heavily relies on binat and keep state. Packets will come in on a keep state rule (from the internet) but the replies are dropped.
I should probably mention that nearly all of my rules are written for incoming packets (toward the firewall).
Something to keep in mind is that pf always acts on _both_ interfaces. What you allow in on one interface must be allowed out on the other (if forwarding).
I have done what I can to read in the man pages and the mailng list about this problem but I think that I am going to have to dive into the source. Is there any kind if primer on the basic architecture or how the source is laid out. Maybe someone can point me to a function or two that I should read for more insight into my problem.
Packets start in sys/net/pf.c:pf_test() (or pf_test6() for IPv6). Headers are decoded and the packets are tried in pf_test_state_*() first; if no match, pf_test_*(). It should be fairly easy to follow.
There are many bits of info on http://www.benzedrine.cx/pf.html
