Ok, here is patch #3.  This is the final patch short of bug fixes:

	fetch http://apollo.backplane.com/DFlyMisc/pickups03.patch

    * Added set keep-policy to set the default stateful inspection policy.
    * Removed NetBSD's window scale patch.

    After playing with keep state for the last few days I understand now
    why OpenBSD made it the default.  I wound up having to put it on every
    single pass rule I had on my router.  However, I continue believe quite
    strongly that keep state w/ flags S/SA is an inappropriate default due
    to the adverse effect it has on pre-existing TCP connections, so I
    wanted to come up with a solution that would be acceptable to projects
    that might have a different opinion.

    I came up with set keep-policy in your pf.conf.  For example:

	set keep-policy keep state (pickups)

    This will cause all pass rules to use the specified policy by default,
    so it does not have to be specified for each rule.

    The policy can be overriden in each rule.  I implemented the OpenBSD
    'no keep' feature as well so it can also be turned off.  I did not
    see a similar feature to my 'set keep-policy' in OpenBSD.

    I think this is the best solution.  This way the fact that stateful
    inspection is being used is explicitly specified in the pf.conf,
    which should satisfy everyone, plus additional features such
    as 'pickups' can be specified cleanly.

    Unless something comes up I am going to commit this to DragonFly
    on Friday and call it done.  I would be pleased if other projects
    picked up some or all of the work.  Max, if you make fixes or further
    enhancements to this for any porting you do to FreeBSD could you give
    me a heads up?  I'd like to keep them in sync at least for a little
    while.

						-Matt