Try to document how to use gre(4) keepalives with pf(4) enabled.

Adding a rule like "pass quick on gre proto gre no state" will ensure that
the keepalive packets get through pf by bypassing the state table once.
Requested by jsing@ some long time ago.

1 files changed, 14 insertions, 2 deletions

diff --git a/share/man/man4/gre.4 b/share/man/man4/gre.4
index 329a79e6cbc..7188f5e8414 100644
--- a/share/man/man4/gre.4
+++ b/share/man/man4/gre.4
@@ -1,4 +1,4 @@
-.\" $OpenBSD: gre.4,v 1.34 2011/07/09 04:01:30 deraadt Exp $
+.\" $OpenBSD: gre.4,v 1.35 2012/03/26 19:26:17 claudio Exp $
 .\" $NetBSD: gre.4,v 1.10 1999/12/22 14:55:49 kleink Exp $
 .\"
 .\" Copyright 1998 (c) The NetBSD Foundation, Inc.
@@ -28,7 +28,7 @@
 .\" ARISING IN ANY WAY  OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 9 2011 $
+.Dd $Mdocdate: March 26 2012 $
 .Dt GRE 4
 .Os
 .Sh NAME
@@ -197,6 +197,18 @@ To return keepalives, the remote host must be configured to forward packets:
 .Bd -literal -offset indent
 # sysctl net.inet.ip.forwarding=1
 .Ed
+.Pp
+If
+.Xr pf 4
+is enabled then it is necessary to add a pass rule specific for the keepalive
+packets.
+The rule must use
+.Em no state
+because the keepalive packet is entering the network stack multiple times.
+In most cases the following should work:
+.Bd -literal -offset indent
+pass quick on gre proto gre no state
+.Ed
 .Sh NOTES
 The MTU of
 .Nm