networking - How to filter TCP packets based on flags using Packet Filter in OpenBSD -

well, didn't know how ask question, know can use keyword flags especify flags want filter.

according documentation of packet filter:

to have pf inspect tcp flags during evaluation of rule, flags keyword used following syntax:

flags check/mask
flags

the mask part tells pf inspect specified flags , check part specifies flag(s) must "on" in header match occur. using keyword allows combination of flags set in header.

pass in on fxp0 proto tcp any port ssh flags s/sa
pass in on fxp0 proto tcp any port ssh

as flags s/sa set default, above rules equivalent, each of these rules passes tcp traffic syn flag set while looking @ syn , ack flags. packet syn , ece flags match above rules, while packet syn , ack or ack not.

so, understood example , why packet flags s , e can pass (because e flag not considered due mask sa) , why packet ack flag can't pass firewall.

what didn't understand why packet flags s , can't pass rule s/sa, if flag s "on" in packet header. maybe documentation ambiguous? sorry if stupid question or english misunderstood.

i imagine can pass if must has only flag s. in set arithmetic this:

flag(s) must 'on' in header -> flag(s) pertains masked subset [pf doc]
only flag(s) must 'on' in header -> flag(s) egual masked subset [what understood example given]

thanks in advance!

what didn't understand why packet flags s , can't pass rule s/sa, if flag s "on" in packet header. maybe documentation ambiguous?

from flags section in pf.conf(5)

flags (a)/(b) |

this rule applies tcp packets have flags (a) set out of set (b).

if (b) := sa , (a) := s -> rule applies tcp packets have flags s set out of set sa.

this means doesn't have set. paraphrasing bit:

this rule applies tcp packets have flags (a) set out of set (b)

or manual page clarifies later:

flags s/sa

this default setting stateful connections.

out of syn , ack, syn may set