pfctl(8): change default limiter action from no-match to block
pf(4) users who use limiters in current should update the rules
accordingly to reflect the change in default behavior. The existing
rule which reads as follows:
pass in from any to any state limiter test
needs to be changed to:
pass in from any to any state limiter test (no-match)
OK dlg@
Obtained from: OpenBSD, sashan <sashan@openbsd.org>, c600931321
Sponsored by: Rubicon Communications, LLC ("Netgate")
This commit is contained in:
+1
-1
@@ -2787,7 +2787,7 @@ sourcelim_filter_opt
|
|||||||
}
|
}
|
||||||
;
|
;
|
||||||
|
|
||||||
limiter_opt_spec: /* empty */ { $$ = PF_LIMITER_NOMATCH; }
|
limiter_opt_spec: /* empty */ { $$ = PF_LIMITER_DEFAULT; }
|
||||||
| '(' limiter_opt ')' { $$ = $2; }
|
| '(' limiter_opt ')' { $$ = $2; }
|
||||||
;
|
;
|
||||||
|
|
||||||
|
|||||||
@@ -1,2 +1,2 @@
|
|||||||
state limiter "dns-server" id 1 limit 1000 rate 1/10
|
state limiter "dns-server" id 1 limit 1000 rate 1/10
|
||||||
pass in proto tcp to port domain state limiter "dns-server"
|
pass in proto tcp to port domain state limiter "dns-server" (no-match)
|
||||||
|
|||||||
@@ -1,2 +1,2 @@
|
|||||||
source limiter dns-server id 1 entries 2 limit 3 rate 4/5 inet mask 16
|
source limiter dns-server id 1 entries 2 limit 3 rate 4/5 inet mask 16
|
||||||
pass in proto tcp from any to any port = domain flags S/SA keep state source limiter id 1 (no-match)
|
pass in proto tcp from any to any port = domain flags S/SA keep state source limiter id 1 (block)
|
||||||
|
|||||||
+11
-11
@@ -27,7 +27,7 @@
|
|||||||
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||||
.\"
|
.\"
|
||||||
.Dd January 12, 2026
|
.Dd January 16, 2026
|
||||||
.Dt PF.CONF 5
|
.Dt PF.CONF 5
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
@@ -2368,12 +2368,12 @@ block in proto icmp probability 20%
|
|||||||
.It Cm state limiter Ar name Oo Cm (limiter options) Oc
|
.It Cm state limiter Ar name Oo Cm (limiter options) Oc
|
||||||
Use the specified state limiter to restrict the creation of states
|
Use the specified state limiter to restrict the creation of states
|
||||||
by this rule.
|
by this rule.
|
||||||
By default if capacity is not available, the rule is ignored
|
By default if capacity is not available, the packet gets blocked
|
||||||
and ruleset evaluation continues with next rule..
|
and ruleset evaluation stops.
|
||||||
Use
|
Use
|
||||||
.Ic block
|
.Ic no-match
|
||||||
option to change default behavior such packet is blocked
|
option to change default behavior such rule is ignored and ruleset
|
||||||
when limit is reached.
|
evaluation continues with next rule.
|
||||||
See the
|
See the
|
||||||
.Sx State Limiters
|
.Sx State Limiters
|
||||||
section for more information.
|
section for more information.
|
||||||
@@ -2381,12 +2381,12 @@ section for more information.
|
|||||||
.It Cm source limiter Ar name Oo Cm (limiter options) Oc
|
.It Cm source limiter Ar name Oo Cm (limiter options) Oc
|
||||||
Use the specified source limiter to restrict the creation of states
|
Use the specified source limiter to restrict the creation of states
|
||||||
by this rule.
|
by this rule.
|
||||||
By default if capacity is not available, the rule is ignored
|
By default if capacity is not available, the packet gets blocked
|
||||||
and ruleset evaluation continues with next rule..
|
and ruleset evaluation stops.
|
||||||
Use
|
Use
|
||||||
.Ic block
|
.Ic no-match
|
||||||
option to change default behavior such packet is blocked
|
option to change default behavior such rule is ignored and ruleset
|
||||||
when limit is reached.
|
evaluation continues with next rule.
|
||||||
See the
|
See the
|
||||||
.Sx Source Limiters
|
.Sx Source Limiters
|
||||||
section for more information.
|
section for more information.
|
||||||
|
|||||||
@@ -506,6 +506,8 @@ enum {
|
|||||||
PF_LIMITER_BLOCK
|
PF_LIMITER_BLOCK
|
||||||
};
|
};
|
||||||
|
|
||||||
|
#define PF_LIMITER_DEFAULT PF_LIMITER_BLOCK
|
||||||
|
|
||||||
struct pf_rule {
|
struct pf_rule {
|
||||||
struct pf_rule_addr src;
|
struct pf_rule_addr src;
|
||||||
struct pf_rule_addr dst;
|
struct pf_rule_addr dst;
|
||||||
|
|||||||
@@ -54,7 +54,7 @@ state_basic_body()
|
|||||||
"set timeout icmp.error 120" \
|
"set timeout icmp.error 120" \
|
||||||
"state limiter \"server\" id 1 limit 1" \
|
"state limiter \"server\" id 1 limit 1" \
|
||||||
"block in proto icmp" \
|
"block in proto icmp" \
|
||||||
"pass in proto icmp state limiter \"server\""
|
"pass in proto icmp state limiter \"server\" (no-match)"
|
||||||
|
|
||||||
atf_check -s exit:0 -o ignore \
|
atf_check -s exit:0 -o ignore \
|
||||||
ping -c 2 192.0.2.1
|
ping -c 2 192.0.2.1
|
||||||
@@ -103,7 +103,7 @@ state_rate_body()
|
|||||||
"set timeout icmp.error 120" \
|
"set timeout icmp.error 120" \
|
||||||
"state limiter \"server\" id 1 limit 1000 rate 1/5" \
|
"state limiter \"server\" id 1 limit 1000 rate 1/5" \
|
||||||
"block in proto icmp" \
|
"block in proto icmp" \
|
||||||
"pass in proto icmp state limiter \"server\""
|
"pass in proto icmp state limiter \"server\" (no-match)"
|
||||||
|
|
||||||
atf_check -s exit:0 -o ignore \
|
atf_check -s exit:0 -o ignore \
|
||||||
ping -c 2 192.0.2.1
|
ping -c 2 192.0.2.1
|
||||||
@@ -217,7 +217,7 @@ source_basic_body()
|
|||||||
"set timeout icmp.error 120" \
|
"set timeout icmp.error 120" \
|
||||||
"source limiter \"server\" id 1 entries 128 limit 1" \
|
"source limiter \"server\" id 1 entries 128 limit 1" \
|
||||||
"block in proto icmp" \
|
"block in proto icmp" \
|
||||||
"pass in proto icmp source limiter \"server\""
|
"pass in proto icmp source limiter \"server\" (no-match)"
|
||||||
|
|
||||||
atf_check -s exit:0 -o ignore \
|
atf_check -s exit:0 -o ignore \
|
||||||
ping -S 192.0.2.2 -c 2 192.0.2.1
|
ping -S 192.0.2.2 -c 2 192.0.2.1
|
||||||
|
|||||||
Reference in New Issue
Block a user