Subject: kern/27590: IPF 4.1.x is missing the "state-age" optional clause.
To: None <>
From: None <>
List: netbsd-bugs
Date: 10/27/2004 22:07:48
>Number:         27590
>Category:       kern
>Synopsis:       IPF 3.x allows a "state-age" clause that can no longer be used.
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Oct 28 05:09:00 UTC 2004
>Originator:     Paul Shupak
>Release:        NetBSD 2.99.10
System: NetBSD svcs 2.99.10 NetBSD 2.99.10 (SVCS) #389: Fri Oct 15 10:01:37 PDT 2004 root@svcs:/sys/arch/i386/compile/SVCS i386
Architecture: i386
Machine: i386
	As an example, to allow amanda through firewalls to (possibly) slow
machines, I use a rule like:

	pass  in  quick proto udp from any to any port = amanda keep state keep state-age 900/900 keep frags group 208

	On IPF 4.1.x, this simply leads to an error such as:

	syntax error error at "state-age", line 9

	For some purposes, there is no available alternative (except disabling
the firewall for those machine/port combinations).
	When using IPF 4.1.x, try a rule which contains "keep state" and
"state-age" clauses as was allowed by IPF 3.x.
	Re-add "state-age" to the IPF grammar and reintroduce its semantics
to the state machine(s).  (Particularly needed for non-TCP protocols where
the "keep state" timeout is small compared to what many applications desire
or need - e.g. UDP.)