flags ⟨a⟩ /⟨b⟩ | /⟨b⟩ | any
This rule only applies to TCP packets that have the flags ⟨a⟩ set
out of set ⟨b⟩. Flags not specified in ⟨b⟩ are ignored. For
stateful connections, the default is flags S/SA. To indicate that
flags should not be checked at all, specify flags any. The flags
are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R.
flags S/S Flag SYN is set. The other flags are ignored.
flags S/SA This is the default setting for stateful connections.
Out of SYN and ACK, exactly SYN may be set. SYN,
SYN+PSH and SYN+RST match, but SYN+ACK, ACK and ACK+RST
do not. This is more restrictive than the previous
example.
flags /SFRA
If the first set is not specified, it defaults to none.
All of SYN, FIN, RST and ACK must be unset.
Because flags S/SA is applied by default (unless no state is
specified), only the initial SYN packet of a TCP handshake will
create a state for a TCP connection. It is possible to be less
restrictive, and allow state creation from intermediate (non-SYN)
packets, by specifying flags any. This will cause pf(4) to
synchronize to existing connections, for instance if one flushes
the state table. However, states created from such intermediate
packets may be missing connection details such as the TCP window
scaling factor. States which modify the packet flow, such as those
affected by nat, binat or rdr rules, modulate or synproxy state
options, or scrubbed with reassemble tcp will also not be
recoverable from intermediate packets. Such connections will stall
and time out.
