On Tue, Mar 02, 2004 at 09:27:48AM -0800, Getchell, Adam wrote: > I'm under the impression pf keeps the state table across reboots, but > Googling for it just gives Darren Reed's response: > http://monkey.org/openbsd/archive/misc/0201/msg01135.html > > Does it?
No, the state table is not stored in a file and reloaded on reboot, though that wouldn't be hard to do (the ioctl API is there already), I guess it's just not generally useful enough. If you filter TCP statefully and create state only on SYN packets (using flags S/SA keep state), a reboot will stall or reset your existing connections. If you allow non-SYN packets to create state (without flags S/SA), the next packet seen after reboot for an existing connection will create a new state entry, and the connections continues to work (assuming the next packet, which can be coming from either direction, on more than one interface possibly, actually matches a pass keep state rule). Some features like modulate state, syn-proxy or window scaling support only work when pf creates state on the initial SYN and sees the TCP handshake. So creating state from non-SYN will not work properly when these features are used/needed. Daniel
