diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2026-01-12 20:37:08 +0100 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2026-01-14 07:44:43 +0100 |
| commit | 8716d8c7d97eec231820ecd1dc50c67beb95d58c (patch) | |
| tree | 2568106cfd450333b70c8803e86ce559837fb695 /share | |
| parent | 1ee4405a00d7bcfa5545bba7a78b71cdd4cfdc20 (diff) | |
pf: configurable action on limiter exceeded
This change extends pf(4) limiters so administrator
can specify action the rule executes when limit is
reached. By default when limit is reached the limiter
overrides action specified by rule to no-match.
If administrator wants to block packet instead then
rule with limiter should be changed to:
pass in from any to any state limiter test (block)
OK dlg@
Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 04394254d9
Sponsored by: Rubicon Communications, LLC ("Netgate")
Diffstat (limited to 'share')
| -rw-r--r-- | share/man/man5/pf.conf.5 | 28 |
1 files changed, 20 insertions, 8 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 6a778eed2214..aa3899e48596 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd December 30, 2025 +.Dd January 12, 2026 .Dt PF.CONF 5 .Os .Sh NAME @@ -2365,20 +2365,28 @@ For example, the following rule will drop 20% of incoming ICMP packets: .Bd -literal -offset indent block in proto icmp probability 20% .Ed -.It Cm state limiter Ar name +.It Cm state limiter Ar name Oo Cm (limiter options) Oc Use the specified state limiter to restrict the creation of states by this rule. -If capacity is not available, the rule does not match and evaluation -of the ruleset continues. +By default if capacity is not available, the rule is ignored +and ruleset evaluation continues with next rule.. +Use +.Ic block +option to change default behavior such packet is blocked +when limit is reached. See the .Sx State Limiters section for more information. .Pp -.It Cm source limiter Ar name +.It Cm source limiter Ar name Oo Cm (limiter options) Oc Use the specified source limiter to restrict the creation of states by this rule. -If capacity is not available, the rule does not match and evaluation -of the ruleset continues. +By default if capacity is not available, the rule is ignored +and ruleset evaluation continues with next rule.. +Use +.Ic block +option to change default behavior such packet is blocked +when limit is reached. See the .Sx Source Limiters section for more information. @@ -3614,7 +3622,10 @@ filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos | "max-pkt-size" number | "queue" ( string | "(" string [ [ "," ] string ] ")" ) | "rtable" number | "probability" number"%" | "prio" number | - "state limiter" name | "source limiter" name | + "state limiter" name | + "state limiter" name "(" limiter-opts ")" | + "source limiter" name | + "source limiter" name "(" limiter-opts ")" | "prio" number | "dnpipe" ( number | "(" number "," number ")" ) | "dnqueue" ( number | "(" number "," number ")" ) | "ridentifier" number | @@ -3794,6 +3805,7 @@ realtime-sc = "realtime" sc-spec upperlimit-sc = "upperlimit" sc-spec sc-spec = ( bandwidth-spec | "(" bandwidth-spec number bandwidth-spec ")" ) +limiter-opts = "block" | "no-match" include = "include" filename .Ed .Sh FILES |