Don't automatically set 'flags S/SA' on stateless rules.

pointed out by david@

ok mpf@ dhartmei@

2 files changed, 6 insertions, 5 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 6d959069014..85b1d199d2b 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.507 2006/10/11 21:04:18 deraadt Exp $	*/
+/*	$OpenBSD: parse.y,v 1.508 2006/10/17 07:14:28 mcbride Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -1780,9 +1780,10 @@ pfrule		: action dir logquick interface route af proto fromto
 				free(p);
 			}
 
-			/* 'flags S/SA' by default on pass rules. */
+			/* 'flags S/SA' by default on stateful rules */
 			if (!r.action && !r.flags && !r.flagset &&
-			    !$9.fragment && !($9.marker & FOM_FLAGS)) {
+			    !$9.fragment && !($9.marker & FOM_FLAGS) &&
+			    r.keep_state) {
 				r.flags = parse_flags("S");
 				r.flagset =  parse_flags("SA");
 			}
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index a6eb255858c..aaf4b521291 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_parser.c,v 1.230 2006/10/06 17:04:53 mcbride Exp $ */
+/*	$OpenBSD: pfctl_parser.c,v 1.231 2006/10/17 07:14:28 mcbride Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -796,7 +796,7 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose)
 	} else if (r->action == PF_PASS &&
 	    (!r->proto || r->proto == IPPROTO_TCP) &&
 	    !(r->rule_flag & PFRULE_FRAGMENT) &&
-	    !anchor_call[0])
+	    !anchor_call[0] && r->keep_state)
 		printf(" flags any");
 	if (r->type) {
 		const struct icmptypeent	*it;