aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKristof Provost <kp@FreeBSD.org>2024-10-02 06:38:59 +0000
committerKristof Provost <kp@FreeBSD.org>2024-10-10 12:10:40 +0000
commitd01949e8a210c4531ed4172e344501b37ded729e (patch)
treebb288c62abdd061d80e81874514e31a92eea66f4
parent5de77e952a2f497722bb204dcd8b5e669adc1dd7 (diff)
downloadsrc-d01949e8a210.tar.gz
src-d01949e8a210.zip
pf.conf.5: sync documentation with code on the matter of max state limit behavior
When one of the state limits is reached, further packets that would create state are dropped, until existing states time out. Discussed with mcbride, ok henning, jmc Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 677ed08ce1 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D46932
-rw-r--r--share/man/man5/pf.conf.57
1 files changed, 5 insertions, 2 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 9531f18e8858..2edc7b1fb280 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -27,7 +27,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd September 6, 2024
+.Dd October 2, 2024
.Dt PF.CONF 5
.Os
.Sh NAME
@@ -2432,7 +2432,7 @@ must be specified explicitly to apply options to a rule.
.It Ar max Aq Ar number
Limits the number of concurrent states the rule may create.
When this limit is reached, further packets that would create
-state will not match this rule until existing states time out.
+state are dropped until existing states time out.
.It Ar no-sync
Prevent state changes for states created by this rule from appearing on the
.Xr pfsync 4
@@ -2514,6 +2514,9 @@ Limit the rate of new connections over a time interval.
The connection rate is an approximation calculated as a moving average.
.El
.Pp
+When one of these limits is reached, further packets that would create
+state are dropped until existing states time out.
+.Pp
Because the 3-way handshake ensures that the source address is not being
spoofed, more aggressive action can be taken based on these limits.
With the