pfctl(8): change default limiter action from no-match to block
pf(4) users who use limiters in current should update the rules
accordingly to reflect the change in default behavior. The existing
rule which reads as follows:
pass in from any to any state limiter test
needs to be changed to:
pass in from any to any state limiter test (no-match)
OK dlg@
Obtained from: OpenBSD, sashan <sashan@openbsd.org>, c600931321
Sponsored by: Rubicon Communications, LLC ("Netgate")
This commit is contained in:
+11
-11
@@ -27,7 +27,7 @@
|
||||
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd January 12, 2026
|
||||
.Dd January 16, 2026
|
||||
.Dt PF.CONF 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@@ -2368,12 +2368,12 @@ block in proto icmp probability 20%
|
||||
.It Cm state limiter Ar name Oo Cm (limiter options) Oc
|
||||
Use the specified state limiter to restrict the creation of states
|
||||
by this rule.
|
||||
By default if capacity is not available, the rule is ignored
|
||||
and ruleset evaluation continues with next rule..
|
||||
By default if capacity is not available, the packet gets blocked
|
||||
and ruleset evaluation stops.
|
||||
Use
|
||||
.Ic block
|
||||
option to change default behavior such packet is blocked
|
||||
when limit is reached.
|
||||
.Ic no-match
|
||||
option to change default behavior such rule is ignored and ruleset
|
||||
evaluation continues with next rule.
|
||||
See the
|
||||
.Sx State Limiters
|
||||
section for more information.
|
||||
@@ -2381,12 +2381,12 @@ section for more information.
|
||||
.It Cm source limiter Ar name Oo Cm (limiter options) Oc
|
||||
Use the specified source limiter to restrict the creation of states
|
||||
by this rule.
|
||||
By default if capacity is not available, the rule is ignored
|
||||
and ruleset evaluation continues with next rule..
|
||||
By default if capacity is not available, the packet gets blocked
|
||||
and ruleset evaluation stops.
|
||||
Use
|
||||
.Ic block
|
||||
option to change default behavior such packet is blocked
|
||||
when limit is reached.
|
||||
.Ic no-match
|
||||
option to change default behavior such rule is ignored and ruleset
|
||||
evaluation continues with next rule.
|
||||
See the
|
||||
.Sx Source Limiters
|
||||
section for more information.
|
||||
|
||||
Reference in New Issue
Block a user