What is wrong with pf in 5.0?

To: tech-net%netbsd.org@localhost
Subject: What is wrong with pf in 5.0?
From: Nino Dehne <ndehne%gmail.com@localhost>
Date: Sun, 31 May 2009 17:24:04 +0200

Hi,

I upgraded my router to 5.0.0_PATCH and somehow pf is borked.

Rules such as

  pass  in quick on $ext6_if inet6 from any to { $ext6_if_local, $ext6_net }
  pass out quick on $ext6_if inet6 from { $ext6_if_local, $ext6_net } to any

get expanded to

pass in quick on gif0 inet6 from any to [...] flags S/SA keep state (if-bound)
                                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pass in quick on gif0 inet6 from any to [...] flags S/SA keep state (if-bound)
pass out quick on gif0 inet6 from [...] to any flags S/SA keep state (if-bound)
pass out quick on gif0 inet6 from [...] to any flags S/SA keep state (if-bound)

What the hell? Why does it apply TCP flags and state keeping when I didn't
request that anywhere?

Regards

-- 
Of course it runs NetBSD.

Follow-Ups:
- Re: What is wrong with pf in 5.0?
  - From: Hauke Fath

Prev by Date: Re: CVS commit: src/sys
Next by Date: Re: What is wrong with pf in 5.0?
Previous by Thread: Re: CVS commit: src/sys
Next by Thread: Re: What is wrong with pf in 5.0?
Indexes:

Home | Main Index | Thread Index | Old Index