pfctl(8): change default limiter action from no-match to block

pf(4) users who use limiters in current should update the rules
accordingly to reflect the change in default behavior. The existing
rule which reads as follows:

    pass in from any to any state limiter test

needs to be changed to:

    pass in from any to any state limiter test (no-match)

OK dlg@

Obtained from:	OpenBSD, sashan <sashan@openbsd.org>, c600931321
Sponsored by:	Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Kristof Provost
2026-01-16 18:30:55 +01:00
parent 68a449f09e
commit 2e0e45a516
6 changed files with 19 additions and 17 deletions
+1 -1
View File
@@ -2787,7 +2787,7 @@ sourcelim_filter_opt
}
;
limiter_opt_spec: /* empty */ { $$ = PF_LIMITER_NOMATCH; }
limiter_opt_spec: /* empty */ { $$ = PF_LIMITER_DEFAULT; }
| '(' limiter_opt ')' { $$ = $2; }
;
+1 -1
View File
@@ -1,2 +1,2 @@
state limiter "dns-server" id 1 limit 1000 rate 1/10
pass in proto tcp to port domain state limiter "dns-server"
pass in proto tcp to port domain state limiter "dns-server" (no-match)
+1 -1
View File
@@ -1,2 +1,2 @@
source limiter dns-server id 1 entries 2 limit 3 rate 4/5 inet mask 16
pass in proto tcp from any to any port = domain flags S/SA keep state source limiter id 1 (no-match)
pass in proto tcp from any to any port = domain flags S/SA keep state source limiter id 1 (block)
+11 -11
View File
@@ -27,7 +27,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd January 12, 2026
.Dd January 16, 2026
.Dt PF.CONF 5
.Os
.Sh NAME
@@ -2368,12 +2368,12 @@ block in proto icmp probability 20%
.It Cm state limiter Ar name Oo Cm (limiter options) Oc
Use the specified state limiter to restrict the creation of states
by this rule.
By default if capacity is not available, the rule is ignored
and ruleset evaluation continues with next rule..
By default if capacity is not available, the packet gets blocked
and ruleset evaluation stops.
Use
.Ic block
option to change default behavior such packet is blocked
when limit is reached.
.Ic no-match
option to change default behavior such rule is ignored and ruleset
evaluation continues with next rule.
See the
.Sx State Limiters
section for more information.
@@ -2381,12 +2381,12 @@ section for more information.
.It Cm source limiter Ar name Oo Cm (limiter options) Oc
Use the specified source limiter to restrict the creation of states
by this rule.
By default if capacity is not available, the rule is ignored
and ruleset evaluation continues with next rule..
By default if capacity is not available, the packet gets blocked
and ruleset evaluation stops.
Use
.Ic block
option to change default behavior such packet is blocked
when limit is reached.
.Ic no-match
option to change default behavior such rule is ignored and ruleset
evaluation continues with next rule.
See the
.Sx Source Limiters
section for more information.
+2
View File
@@ -506,6 +506,8 @@ enum {
PF_LIMITER_BLOCK
};
#define PF_LIMITER_DEFAULT PF_LIMITER_BLOCK
struct pf_rule {
struct pf_rule_addr src;
struct pf_rule_addr dst;
+3 -3
View File
@@ -54,7 +54,7 @@ state_basic_body()
"set timeout icmp.error 120" \
"state limiter \"server\" id 1 limit 1" \
"block in proto icmp" \
"pass in proto icmp state limiter \"server\""
"pass in proto icmp state limiter \"server\" (no-match)"
atf_check -s exit:0 -o ignore \
ping -c 2 192.0.2.1
@@ -103,7 +103,7 @@ state_rate_body()
"set timeout icmp.error 120" \
"state limiter \"server\" id 1 limit 1000 rate 1/5" \
"block in proto icmp" \
"pass in proto icmp state limiter \"server\""
"pass in proto icmp state limiter \"server\" (no-match)"
atf_check -s exit:0 -o ignore \
ping -c 2 192.0.2.1
@@ -217,7 +217,7 @@ source_basic_body()
"set timeout icmp.error 120" \
"source limiter \"server\" id 1 entries 128 limit 1" \
"block in proto icmp" \
"pass in proto icmp source limiter \"server\""
"pass in proto icmp source limiter \"server\" (no-match)"
atf_check -s exit:0 -o ignore \
ping -S 192.0.2.2 -c 2 192.0.2.1