OpenBSD Journal

PF Changes in -current

Contributed by jose on from the syntax-changes dept.

Just a brief note from the PF people. Your configurations which use the syntax "flags S" will no longer work as you expect them to. You must set the mask of flags:
  > remove the "flags X" syntax.
  > noone who wrote "flags S" meant that, but actually something like "flags
  > S/SA". with "flags S" changing its actual meaning as more flags got
  > supported, things got worse.
  > ok dhartmei@, pb@ (henning@) 
Hence, you'll have to use something like flags S/SAFRUPEW in your pf.conf files. The good news is you can use macros, though:
  > Remove 'flags X' syntax, if people make heavy use of X/FOOBAR, they
  > chould use macros, e.g.
  > tcpinit="S/SAFR"
  > pass in ... flags $tcpinit (pb@)
This was done to ensure the correctness of matches, and once you migrate your rulesets over you should be good. Thanks to Daniel for some information on this change.

(Comments are closed)

  1. By Anonymous Coward () on

    Sounds like PF is really having some rough times lately. So much for "writing a packet filter is easy, we can duplicated IPF easily and better."

    1. By Anonymous Coward () on

      The trolls are out in full force this week.
      Back! Back! Back into the darkness from which you came. Lest you be turned into stone by the light of my cruel logic.

    2. By Shane () on

      I thought they did duplicate one easily and better? What did the interview say? Something like a month for a working packet filter. That seems pretty impressive to me, especially considering it performs just as well.

    3. By Anonymous Coward () on

      hey mr.Reed!

    4. By zil0g () on

      Darren? is that you? hey! come out in the light so we can see you!


      1. By Anonymous Coward () on

        I get it, anyone that has something critical to say about PF must obviously be the author of its competition. Clever.

        1. By Anonymous Coward () on

          Constructive criticism is welcomed. Whining is not. Perhaps you would be happier using a Microsoft product. One that has a telephone number with a customer representative that handles whining customers every day of his pitiful life.
          I contribute nothing more than my $40 stipend for the cds. I get a secure OS with that contains software that some company would have me paying 1000s of hard earned dollars. Sometimes I have complaints, nothing is perfect. But in my book, complaining is not contributing. So shall I say, I suffer in delightful silence, while you make a fool of yourself as a prime example of a non-contributing whiner.

          1. By Pedro () on


            i mean even when saying "something critical" there are certain quality standards to respect. And some people on this site dont seem to be able to even write "something critical" without failing miserable at respecting even the lowest of these standards.

        2. By rankor () on

          the way the post was written meant it was either Darren, or a slow day over at /.

        3. By Anonymous Coward () on

          Well, what you said was pretty stupid, so it seemed like a reasonable guess at the time.

    5. By Lars Hansson () on

      Yeah, change of syntax is a sure-fire sign of rough times.
      Maybe you should go troll in the woods or did the big trolls not want to play with you?

    6. By Anonymous Coward () on

      I didn't know Darren read

      1. By Anonymous Coward () on

        I didn't know Darren could read at all!

    7. By Noob () on

      I'm enjoying the new pf just fine. It does what I need it to do anyways.

    8. By Anonymous Coward () on

      Apparently, you are a recent reader and don't know much about the full history. You are also a pesky little boy, making up quotes or using someone's words without full attribution.

      PF was written mainly as a program of opportunity due to the licensing issues of IPF and fallout between Theo and Reed. In fact, no one expected to be writing one until the issue was forced, mainly due to Reed's (rightful, however annoying) insistence on his license terms, OBSD's project goals (which you are not aware of fully despite it plainly displayed on their web page) and insistence of coding over carefully looking at licensing (their mistake, but they are coders, not lawyers), and the current legal environment, particularly surrounding copyright and the use of derivative works (occurs most stringently in the US, so your mileage may vary depending on where you reside).

      Plus, it seems PF has had fewer security issues than IPF during a similar timeframe. Darn. There goes your tiny slice at fame. Good day.

  2. By Anonymous Coward () on

    What's the (pb@) mean?

    1. By messersmidth () on

      It means one of the project developers, that has a emailadress that is pb(at)openbsd.o r g.
      When you start to do submit sourcecode to the project often you might end up there yourself

      1. By Anonymous Coward () on

        LOL, I didn't clue in to that.. ;) I see it all the time, and for some reason though it was something new and funky.

  3. By Jedi/Sector One () on

    "the syntax "flags S" will no longer work as you expect them to."

    Hmm, actually the reason of the change is that it was confusing, and that it was _not_ working the way people expected it to (it was working the way it was documented, but people misread the documentation...) .

    Now, things are clear.

    1. By Anonymous Coward () on

      Would you care to clarify? How was it written, and how was it being interpreted?

  4. By Anonymous Coward () on

    Can someone please tell me the best way too see what has been commited to stable through a browser?


    1. By Anonymous Coward () on

      Security fixes:

      For the rest nothing is changed iirc

      1. By Anonymous Coward () on

        Err, excuse me. Forgot to mention reliability fixes as well.

        No software addons (ie. 'features'). That's why it's called stable :)

    2. By Rojareyn () cfuhrman at NO pobox SPAM dot com (you know what t on mailto:cfuhrman at NO pobox SPAM dot com (you know what t

      You could always subscribe to

      You get the CVS commits for EVERYTHING (www, ports, src, etc).

      Better still, subscribe to the digest version...


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]