Subtle change in pf behavior from 6.2 to 6.3-PRE

[Steve Watt]

Greetings,

I recently upgraded my system from a 6.2-PRE from Dec '06
to 6.3-PRE as of 4 Nov.

I discovered an interesting and subtle change in the way pf
behaves between the two versions.

In the past I had the following (slightly incorrect) rule in
my pf.conf:

pass out on $ext_if proto { tcp, udp, icmp } all keep state

It seemed to do the right thing; it kept state on all
outbound traffic and allowed the return traffic.

However, with the newer pf, it appears that the desired
incantation is now

pass out on $ext_if proto tcp all flags S/SA keep state
pass out on $ext_if proto { udp, icmp } all keep state

The symptom of the problem that I noticed was that innd was
getting EPERM attempting to talk to other systems, and that
my web server couldn't be talked to by Linux browsers.

Groping around and turning on debugging on pf led me to the
(apparently) usual:

Nov  8 16:59:48 wattres kernel: pf: BAD state: TCP <some.ip.addr>:25 <some.ip.addr>:25 <some.ip.addr>:48418 [lo=2541394648 high=2541394831 win=33304 modulator=0] [lo=2408093130 high=2408126434 win=183 modulator=0] 4:4 PA seq=2541394648 ack=2408093130 len=214 ackskew=0 pkts=3:3 dir=out,fwd

Which finally led me to the hint that the flags weren't getting
stored correctly by the earlier pass rules.

Whee.  Breadcrumbs for someone to google up some dark and
stormy night.

-- 
Steve Watt KD6GGD  PP-ASEL-IA          ICBM: 121W 56' 57.5" / 37N 20' 15.3"
 Internet: steve @ Watt.COM                      Whois: SW32-ARIN
   Free time?  There's no such thing.  It just comes in varying prices...