o don't use keep state on block rules

o don't use return-rst on not-tcp rules

6 files changed, 48 insertions, 46 deletions

diff --git a/regress/sbin/pfctl/pf10.in b/regress/sbin/pfctl/pf10.in
index 9b76f635446..15ca78b9ebe 100644
--- a/regress/sbin/pfctl/pf10.in
+++ b/regress/sbin/pfctl/pf10.in
@@ -3,8 +3,8 @@ pass in inet proto icmp all
 pass in inet6 proto ipv6-icmp all
 block in inet proto icmp all
 block in inet6 proto ipv6-icmp all
-block return-rst in inet proto icmp all
-block return-rst in inet6 proto ipv6-icmp all
+block return-rst in inet proto tcp all
+block return-rst in inet6 proto tcp all
 block return-icmp in inet proto icmp all
 block return-icmp(0) in inet proto icmp all
 block return-icmp(net-unr) in inet proto icmp all
@@ -25,3 +25,4 @@ block return-icmp6(3) in inet6 proto ipv6-icmp all
 block return-icmp6(addr-unr) in inet6 proto ipv6-icmp all
 block return-icmp6(4) in inet6 proto ipv6-icmp all
 block return-icmp6(port-unr) in inet6 proto ipv6-icmp all
+
diff --git a/regress/sbin/pfctl/pf10.ok b/regress/sbin/pfctl/pf10.ok
index ba755ce573b..846e1a80d03 100644
--- a/regress/sbin/pfctl/pf10.ok
+++ b/regress/sbin/pfctl/pf10.ok
@@ -2,8 +2,8 @@
 @1 pass in inet6 proto ipv6-icmp all 
 @2 block in inet proto icmp all 
 @3 block in inet6 proto ipv6-icmp all 
-@4 block return-rst in inet proto icmp all 
-@5 block return-rst in inet6 proto ipv6-icmp all 
+@4 block return-rst in inet proto tcp all 
+@5 block return-rst in inet6 proto tcp all 
 @6 block return-icmp in inet proto icmp all 
 @7 block return-icmp(net-unr) in inet proto icmp all 
 @8 block return-icmp(net-unr) in inet proto icmp all 
diff --git a/regress/sbin/pfctl/pf4.in b/regress/sbin/pfctl/pf4.in
index b100497c0b0..6f26a4fafdd 100644
--- a/regress/sbin/pfctl/pf4.in
+++ b/regress/sbin/pfctl/pf4.in
@@ -11,4 +11,5 @@ block in proto tcp from any port = ssh to any
 block in proto tcp from any port { ssh, ftp >< 2048, != 1234, >= www } to any
 
 block in proto { tcp, udp } from { 10.0.0.0/8, 172.16.0.0/12 } port { ssh, ftp } \
-	to { 192.168.0.0/16, 12.34.56.78 } port { 6667, 6668 } keep state
+	to { 192.168.0.0/16, 12.34.56.78 } port { 6667, 6668 }
+
diff --git a/regress/sbin/pfctl/pf4.ok b/regress/sbin/pfctl/pf4.ok
index 8418c4e170f..e47e076292a 100644
--- a/regress/sbin/pfctl/pf4.ok
+++ b/regress/sbin/pfctl/pf4.ok
@@ -12,35 +12,35 @@
 @11 block in proto tcp from any port != 1234 to any 
 @12 block in proto tcp from any port 21 >< 2048 to any 
 @13 block in proto tcp from any port = ssh to any 
-@14 block in inet proto udp from 172.16.0.0/12 port = 21 to 12.34.56.78 port = 6668 keep state 
-@15 block in inet proto udp from 172.16.0.0/12 port = 21 to 12.34.56.78 port = 6667 keep state 
-@16 block in inet proto udp from 172.16.0.0/12 port = 21 to 192.168.0.0/16 port = 6668 keep state 
-@17 block in inet proto udp from 172.16.0.0/12 port = 21 to 192.168.0.0/16 port = 6667 keep state 
-@18 block in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6668 keep state 
-@19 block in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6667 keep state 
-@20 block in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6668 keep state 
-@21 block in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6667 keep state 
-@22 block in inet proto udp from 10.0.0.0/8 port = 21 to 12.34.56.78 port = 6668 keep state 
-@23 block in inet proto udp from 10.0.0.0/8 port = 21 to 12.34.56.78 port = 6667 keep state 
-@24 block in inet proto udp from 10.0.0.0/8 port = 21 to 192.168.0.0/16 port = 6668 keep state 
-@25 block in inet proto udp from 10.0.0.0/8 port = 21 to 192.168.0.0/16 port = 6667 keep state 
-@26 block in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6668 keep state 
-@27 block in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667 keep state 
-@28 block in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6668 keep state 
-@29 block in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6667 keep state 
-@30 block in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6668 keep state 
-@31 block in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6667 keep state 
-@32 block in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6668 keep state 
-@33 block in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6667 keep state 
-@34 block in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6668 keep state 
-@35 block in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6667 keep state 
-@36 block in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6668 keep state 
-@37 block in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6667 keep state 
-@38 block in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6668 keep state 
-@39 block in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6667 keep state 
-@40 block in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6668 keep state 
-@41 block in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6667 keep state 
-@42 block in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6668 keep state 
-@43 block in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667 keep state 
-@44 block in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6668 keep state 
-@45 block in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6667 keep state 
+@14 block in inet proto udp from 172.16.0.0/12 port = 21 to 12.34.56.78 port = 6668 
+@15 block in inet proto udp from 172.16.0.0/12 port = 21 to 12.34.56.78 port = 6667 
+@16 block in inet proto udp from 172.16.0.0/12 port = 21 to 192.168.0.0/16 port = 6668 
+@17 block in inet proto udp from 172.16.0.0/12 port = 21 to 192.168.0.0/16 port = 6667 
+@18 block in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6668 
+@19 block in inet proto udp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6667 
+@20 block in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6668 
+@21 block in inet proto udp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6667 
+@22 block in inet proto udp from 10.0.0.0/8 port = 21 to 12.34.56.78 port = 6668 
+@23 block in inet proto udp from 10.0.0.0/8 port = 21 to 12.34.56.78 port = 6667 
+@24 block in inet proto udp from 10.0.0.0/8 port = 21 to 192.168.0.0/16 port = 6668 
+@25 block in inet proto udp from 10.0.0.0/8 port = 21 to 192.168.0.0/16 port = 6667 
+@26 block in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6668 
+@27 block in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667 
+@28 block in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6668 
+@29 block in inet proto udp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6667 
+@30 block in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6668 
+@31 block in inet proto tcp from 172.16.0.0/12 port = ftp to 12.34.56.78 port = 6667 
+@32 block in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6668 
+@33 block in inet proto tcp from 172.16.0.0/12 port = ftp to 192.168.0.0/16 port = 6667 
+@34 block in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6668 
+@35 block in inet proto tcp from 172.16.0.0/12 port = ssh to 12.34.56.78 port = 6667 
+@36 block in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6668 
+@37 block in inet proto tcp from 172.16.0.0/12 port = ssh to 192.168.0.0/16 port = 6667 
+@38 block in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6668 
+@39 block in inet proto tcp from 10.0.0.0/8 port = ftp to 12.34.56.78 port = 6667 
+@40 block in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6668 
+@41 block in inet proto tcp from 10.0.0.0/8 port = ftp to 192.168.0.0/16 port = 6667 
+@42 block in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6668 
+@43 block in inet proto tcp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667 
+@44 block in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6668 
+@45 block in inet proto tcp from 10.0.0.0/8 port = ssh to 192.168.0.0/16 port = 6667 
diff --git a/regress/sbin/pfctl/pf5.in b/regress/sbin/pfctl/pf5.in
index 0122763ffdf..6ad7040c2ed 100644
--- a/regress/sbin/pfctl/pf5.in
+++ b/regress/sbin/pfctl/pf5.in
@@ -3,4 +3,4 @@ bar = "other thing"
 inside="10.0.0.0/8"
 
 block in proto udp from $inside port { echo, $foo, ident } \
-	to 12.34.56.78 port { 6667, 0x10 } keep state
+	to 12.34.56.78 port { 6667, 0x10 }
diff --git a/regress/sbin/pfctl/pf5.ok b/regress/sbin/pfctl/pf5.ok
index c2fd7d68543..94e1ad0d1d2 100644
--- a/regress/sbin/pfctl/pf5.ok
+++ b/regress/sbin/pfctl/pf5.ok
@@ -1,11 +1,11 @@
 foo = ssh, ftp
 bar = other thing
 inside = 10.0.0.0/8
-@0 block in inet proto udp from 10.0.0.0/8 port = 113 to 12.34.56.78 port = 16 keep state 
-@1 block in inet proto udp from 10.0.0.0/8 port = 113 to 12.34.56.78 port = 6667 keep state 
-@2 block in inet proto udp from 10.0.0.0/8 port = 21 to 12.34.56.78 port = 16 keep state 
-@3 block in inet proto udp from 10.0.0.0/8 port = 21 to 12.34.56.78 port = 6667 keep state 
-@4 block in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 16 keep state 
-@5 block in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667 keep state 
-@6 block in inet proto udp from 10.0.0.0/8 port = echo to 12.34.56.78 port = 16 keep state 
-@7 block in inet proto udp from 10.0.0.0/8 port = echo to 12.34.56.78 port = 6667 keep state 
+@0 block in inet proto udp from 10.0.0.0/8 port = 113 to 12.34.56.78 port = 16 
+@1 block in inet proto udp from 10.0.0.0/8 port = 113 to 12.34.56.78 port = 6667 
+@2 block in inet proto udp from 10.0.0.0/8 port = 21 to 12.34.56.78 port = 16 
+@3 block in inet proto udp from 10.0.0.0/8 port = 21 to 12.34.56.78 port = 6667 
+@4 block in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 16 
+@5 block in inet proto udp from 10.0.0.0/8 port = ssh to 12.34.56.78 port = 6667 
+@6 block in inet proto udp from 10.0.0.0/8 port = echo to 12.34.56.78 port = 16 
+@7 block in inet proto udp from 10.0.0.0/8 port = echo to 12.34.56.78 port = 6667