diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 72589f309f5..57a5140ffeb 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -2787,7 +2787,7 @@ sourcelim_filter_opt } ; -limiter_opt_spec: /* empty */ { $$ = PF_LIMITER_NOMATCH; } +limiter_opt_spec: /* empty */ { $$ = PF_LIMITER_DEFAULT; } | '(' limiter_opt ')' { $$ = $2; } ; diff --git a/sbin/pfctl/tests/files/pf1076.in b/sbin/pfctl/tests/files/pf1076.in index af815fd4c5e..117fb90a11d 100644 --- a/sbin/pfctl/tests/files/pf1076.in +++ b/sbin/pfctl/tests/files/pf1076.in @@ -1,2 +1,2 @@ state limiter "dns-server" id 1 limit 1000 rate 1/10 -pass in proto tcp to port domain state limiter "dns-server" +pass in proto tcp to port domain state limiter "dns-server" (no-match) diff --git a/sbin/pfctl/tests/files/pf1077.ok b/sbin/pfctl/tests/files/pf1077.ok index 834399c40d8..4a7cb3606ae 100644 --- a/sbin/pfctl/tests/files/pf1077.ok +++ b/sbin/pfctl/tests/files/pf1077.ok @@ -1,2 +1,2 @@ source limiter dns-server id 1 entries 2 limit 3 rate 4/5 inet mask 16 -pass in proto tcp from any to any port = domain flags S/SA keep state source limiter id 1 (no-match) +pass in proto tcp from any to any port = domain flags S/SA keep state source limiter id 1 (block) diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index aa3899e4859..707053233e5 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 12, 2026 +.Dd January 16, 2026 .Dt PF.CONF 5 .Os .Sh NAME @@ -2368,12 +2368,12 @@ block in proto icmp probability 20% .It Cm state limiter Ar name Oo Cm (limiter options) Oc Use the specified state limiter to restrict the creation of states by this rule. -By default if capacity is not available, the rule is ignored -and ruleset evaluation continues with next rule.. +By default if capacity is not available, the packet gets blocked +and ruleset evaluation stops. Use -.Ic block -option to change default behavior such packet is blocked -when limit is reached. +.Ic no-match +option to change default behavior such rule is ignored and ruleset +evaluation continues with next rule. See the .Sx State Limiters section for more information. @@ -2381,12 +2381,12 @@ section for more information. .It Cm source limiter Ar name Oo Cm (limiter options) Oc Use the specified source limiter to restrict the creation of states by this rule. -By default if capacity is not available, the rule is ignored -and ruleset evaluation continues with next rule.. +By default if capacity is not available, the packet gets blocked +and ruleset evaluation stops. Use -.Ic block -option to change default behavior such packet is blocked -when limit is reached. +.Ic no-match +option to change default behavior such rule is ignored and ruleset +evaluation continues with next rule. See the .Sx Source Limiters section for more information. diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h index 4c950c7eab9..09bcd424db3 100644 --- a/sys/netpfil/pf/pf.h +++ b/sys/netpfil/pf/pf.h @@ -506,6 +506,8 @@ enum { PF_LIMITER_BLOCK }; +#define PF_LIMITER_DEFAULT PF_LIMITER_BLOCK + struct pf_rule { struct pf_rule_addr src; struct pf_rule_addr dst; diff --git a/tests/sys/netpfil/pf/limiters.sh b/tests/sys/netpfil/pf/limiters.sh index 4775039a4a9..8d9a199db78 100644 --- a/tests/sys/netpfil/pf/limiters.sh +++ b/tests/sys/netpfil/pf/limiters.sh @@ -54,7 +54,7 @@ state_basic_body() "set timeout icmp.error 120" \ "state limiter \"server\" id 1 limit 1" \ "block in proto icmp" \ - "pass in proto icmp state limiter \"server\"" + "pass in proto icmp state limiter \"server\" (no-match)" atf_check -s exit:0 -o ignore \ ping -c 2 192.0.2.1 @@ -103,7 +103,7 @@ state_rate_body() "set timeout icmp.error 120" \ "state limiter \"server\" id 1 limit 1000 rate 1/5" \ "block in proto icmp" \ - "pass in proto icmp state limiter \"server\"" + "pass in proto icmp state limiter \"server\" (no-match)" atf_check -s exit:0 -o ignore \ ping -c 2 192.0.2.1 @@ -217,7 +217,7 @@ source_basic_body() "set timeout icmp.error 120" \ "source limiter \"server\" id 1 entries 128 limit 1" \ "block in proto icmp" \ - "pass in proto icmp source limiter \"server\"" + "pass in proto icmp source limiter \"server\" (no-match)" atf_check -s exit:0 -o ignore \ ping -S 192.0.2.2 -c 2 192.0.2.1