netbsd-bugs: kern/27590: IPF 4.1.x is missing the "state-age" optional clause.

Subject: kern/27590: IPF 4.1.x is missing the "state-age" optional clause.
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <paul@Plectere.com>
List: netbsd-bugs
Date: 10/27/2004 22:07:48

>Number:         27590
>Category:       kern
>Synopsis:       IPF 3.x allows a "state-age" clause that can no longer be used.
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Oct 28 05:09:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator:     Paul Shupak
>Release:        NetBSD 2.99.10
>Organization:
	
>Environment:
	
	
System: NetBSD svcs 2.99.10 NetBSD 2.99.10 (SVCS) #389: Fri Oct 15 10:01:37 PDT 2004 root@svcs:/sys/arch/i386/compile/SVCS i386
Architecture: i386
Machine: i386
>Description:
	As an example, to allow amanda through firewalls to (possibly) slow
machines, I use a rule like:

	pass  in  quick proto udp from any to any port = amanda keep state keep state-age 900/900 keep frags group 208

	On IPF 4.1.x, this simply leads to an error such as:

	syntax error error at "state-age", line 9

	For some purposes, there is no available alternative (except disabling
the firewall for those machine/port combinations).
	
>How-To-Repeat:
	When using IPF 4.1.x, try a rule which contains "keep state" and
"state-age" clauses as was allowed by IPF 3.x.
	
>Fix:
	Re-add "state-age" to the IPF grammar and reintroduce its semantics
to the state machine(s).  (Particularly needed for non-TCP protocols where
the "keep state" timeout is small compared to what many applications desire
or need - e.g. UDP.)
	
>Release-Note:
>Audit-Trail:
>Unformatted: