pfctl(8): change default limiter action from no-match to block
pf(4) users who use limiters in current should update the rules
accordingly to reflect the change in default behavior. The existing
rule which reads as follows:
pass in from any to any state limiter test
needs to be changed to:
pass in from any to any state limiter test (no-match)
OK dlg@
Obtained from: OpenBSD, sashan <sashan@openbsd.org>, c600931321
Sponsored by: Rubicon Communications, LLC ("Netgate")
This commit is contained in:
+1
-1
@@ -2787,7 +2787,7 @@ sourcelim_filter_opt
|
||||
}
|
||||
;
|
||||
|
||||
limiter_opt_spec: /* empty */ { $$ = PF_LIMITER_NOMATCH; }
|
||||
limiter_opt_spec: /* empty */ { $$ = PF_LIMITER_DEFAULT; }
|
||||
| '(' limiter_opt ')' { $$ = $2; }
|
||||
;
|
||||
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
state limiter "dns-server" id 1 limit 1000 rate 1/10
|
||||
pass in proto tcp to port domain state limiter "dns-server"
|
||||
pass in proto tcp to port domain state limiter "dns-server" (no-match)
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
source limiter dns-server id 1 entries 2 limit 3 rate 4/5 inet mask 16
|
||||
pass in proto tcp from any to any port = domain flags S/SA keep state source limiter id 1 (no-match)
|
||||
pass in proto tcp from any to any port = domain flags S/SA keep state source limiter id 1 (block)
|
||||
|
||||
+11
-11
@@ -27,7 +27,7 @@
|
||||
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd January 12, 2026
|
||||
.Dd January 16, 2026
|
||||
.Dt PF.CONF 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@@ -2368,12 +2368,12 @@ block in proto icmp probability 20%
|
||||
.It Cm state limiter Ar name Oo Cm (limiter options) Oc
|
||||
Use the specified state limiter to restrict the creation of states
|
||||
by this rule.
|
||||
By default if capacity is not available, the rule is ignored
|
||||
and ruleset evaluation continues with next rule..
|
||||
By default if capacity is not available, the packet gets blocked
|
||||
and ruleset evaluation stops.
|
||||
Use
|
||||
.Ic block
|
||||
option to change default behavior such packet is blocked
|
||||
when limit is reached.
|
||||
.Ic no-match
|
||||
option to change default behavior such rule is ignored and ruleset
|
||||
evaluation continues with next rule.
|
||||
See the
|
||||
.Sx State Limiters
|
||||
section for more information.
|
||||
@@ -2381,12 +2381,12 @@ section for more information.
|
||||
.It Cm source limiter Ar name Oo Cm (limiter options) Oc
|
||||
Use the specified source limiter to restrict the creation of states
|
||||
by this rule.
|
||||
By default if capacity is not available, the rule is ignored
|
||||
and ruleset evaluation continues with next rule..
|
||||
By default if capacity is not available, the packet gets blocked
|
||||
and ruleset evaluation stops.
|
||||
Use
|
||||
.Ic block
|
||||
option to change default behavior such packet is blocked
|
||||
when limit is reached.
|
||||
.Ic no-match
|
||||
option to change default behavior such rule is ignored and ruleset
|
||||
evaluation continues with next rule.
|
||||
See the
|
||||
.Sx Source Limiters
|
||||
section for more information.
|
||||
|
||||
@@ -506,6 +506,8 @@ enum {
|
||||
PF_LIMITER_BLOCK
|
||||
};
|
||||
|
||||
#define PF_LIMITER_DEFAULT PF_LIMITER_BLOCK
|
||||
|
||||
struct pf_rule {
|
||||
struct pf_rule_addr src;
|
||||
struct pf_rule_addr dst;
|
||||
|
||||
@@ -54,7 +54,7 @@ state_basic_body()
|
||||
"set timeout icmp.error 120" \
|
||||
"state limiter \"server\" id 1 limit 1" \
|
||||
"block in proto icmp" \
|
||||
"pass in proto icmp state limiter \"server\""
|
||||
"pass in proto icmp state limiter \"server\" (no-match)"
|
||||
|
||||
atf_check -s exit:0 -o ignore \
|
||||
ping -c 2 192.0.2.1
|
||||
@@ -103,7 +103,7 @@ state_rate_body()
|
||||
"set timeout icmp.error 120" \
|
||||
"state limiter \"server\" id 1 limit 1000 rate 1/5" \
|
||||
"block in proto icmp" \
|
||||
"pass in proto icmp state limiter \"server\""
|
||||
"pass in proto icmp state limiter \"server\" (no-match)"
|
||||
|
||||
atf_check -s exit:0 -o ignore \
|
||||
ping -c 2 192.0.2.1
|
||||
@@ -217,7 +217,7 @@ source_basic_body()
|
||||
"set timeout icmp.error 120" \
|
||||
"source limiter \"server\" id 1 entries 128 limit 1" \
|
||||
"block in proto icmp" \
|
||||
"pass in proto icmp source limiter \"server\""
|
||||
"pass in proto icmp source limiter \"server\" (no-match)"
|
||||
|
||||
atf_check -s exit:0 -o ignore \
|
||||
ping -S 192.0.2.2 -c 2 192.0.2.1
|
||||
|
||||
Reference in New Issue
Block a user