pf: configurable action on limiter exceeded
This change extends pf(4) limiters so administrator can specify action the rule executes when limit is reached. By default when limit is reached the limiter overrides action specified by rule to no-match. If administrator wants to block packet instead then rule with limiter should be changed to: pass in from any to any state limiter test (block) OK dlg@ Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 04394254d9 Sponsored by: Rubicon Communications, LLC ("Netgate")
This commit is contained in:
@@ -27,7 +27,7 @@
|
||||
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd December 30, 2025
|
||||
.Dd January 12, 2026
|
||||
.Dt PF.CONF 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@@ -2365,20 +2365,28 @@ For example, the following rule will drop 20% of incoming ICMP packets:
|
||||
.Bd -literal -offset indent
|
||||
block in proto icmp probability 20%
|
||||
.Ed
|
||||
.It Cm state limiter Ar name
|
||||
.It Cm state limiter Ar name Oo Cm (limiter options) Oc
|
||||
Use the specified state limiter to restrict the creation of states
|
||||
by this rule.
|
||||
If capacity is not available, the rule does not match and evaluation
|
||||
of the ruleset continues.
|
||||
By default if capacity is not available, the rule is ignored
|
||||
and ruleset evaluation continues with next rule..
|
||||
Use
|
||||
.Ic block
|
||||
option to change default behavior such packet is blocked
|
||||
when limit is reached.
|
||||
See the
|
||||
.Sx State Limiters
|
||||
section for more information.
|
||||
.Pp
|
||||
.It Cm source limiter Ar name
|
||||
.It Cm source limiter Ar name Oo Cm (limiter options) Oc
|
||||
Use the specified source limiter to restrict the creation of states
|
||||
by this rule.
|
||||
If capacity is not available, the rule does not match and evaluation
|
||||
of the ruleset continues.
|
||||
By default if capacity is not available, the rule is ignored
|
||||
and ruleset evaluation continues with next rule..
|
||||
Use
|
||||
.Ic block
|
||||
option to change default behavior such packet is blocked
|
||||
when limit is reached.
|
||||
See the
|
||||
.Sx Source Limiters
|
||||
section for more information.
|
||||
@@ -3614,7 +3622,10 @@ filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos |
|
||||
"max-pkt-size" number |
|
||||
"queue" ( string | "(" string [ [ "," ] string ] ")" ) |
|
||||
"rtable" number | "probability" number"%" | "prio" number |
|
||||
"state limiter" name | "source limiter" name |
|
||||
"state limiter" name |
|
||||
"state limiter" name "(" limiter-opts ")" |
|
||||
"source limiter" name |
|
||||
"source limiter" name "(" limiter-opts ")" | "prio" number |
|
||||
"dnpipe" ( number | "(" number "," number ")" ) |
|
||||
"dnqueue" ( number | "(" number "," number ")" ) |
|
||||
"ridentifier" number |
|
||||
@@ -3794,6 +3805,7 @@ realtime-sc = "realtime" sc-spec
|
||||
upperlimit-sc = "upperlimit" sc-spec
|
||||
sc-spec = ( bandwidth-spec |
|
||||
"(" bandwidth-spec number bandwidth-spec ")" )
|
||||
limiter-opts = "block" | "no-match"
|
||||
include = "include" filename
|
||||
.Ed
|
||||
.Sh FILES
|
||||
|
||||
Reference in New Issue
Block a user