Make 'flags S/SA keep state' the implicit for filter rules, based on

a suggestion from dhartmei@. Also add 'flags any' and 'no state' options
to disable flag matching and stateful filtering respectively.

IMPORTANT NOTE:
Current rulesets will continue to load, but the behaviour may be slightly
changed as these defaults are more restrictive. If you are purposefully
filtering statelessly ('no state') or have a requirement to create states
on intermediate packets ('flags any') you should update your ruleset to
make use of the new keywords to explicitly request the behaviour.

Note that creation of states from intermediate packets in a connection is
not recommended, and will increasingly cause problems as more OSs enable
window scaling and increase buffer sizes by default.

ok dhartmei@ deraadt@ henning@

0 files changed, 0 insertions, 0 deletions