git: d01949e8a210 - main - pf.conf.5: sync documentation with code on the matter of max state limit behavior

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Thu, 10 Oct 2024 12:37:20 UTC

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=d01949e8a210c4531ed4172e344501b37ded729e

commit d01949e8a210c4531ed4172e344501b37ded729e
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-10-02 06:38:59 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-10-10 12:10:40 +0000

    pf.conf.5: sync documentation with code on the matter of max state limit behavior
    
    When one of the state limits is reached, further packets that would
    create state are dropped, until existing states time out.  Discussed
    with mcbride, ok henning, jmc
    
    Obtained from:  OpenBSD, mikeb <mikeb@openbsd.org>, 677ed08ce1
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D46932
---
 share/man/man5/pf.conf.5 | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 9531f18e8858..2edc7b1fb280 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -27,7 +27,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd September 6, 2024
+.Dd October 2, 2024
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -2432,7 +2432,7 @@ must be specified explicitly to apply options to a rule.
 .It Ar max Aq Ar number
 Limits the number of concurrent states the rule may create.
 When this limit is reached, further packets that would create
-state will not match this rule until existing states time out.
+state are dropped until existing states time out.
 .It Ar no-sync
 Prevent state changes for states created by this rule from appearing on the
 .Xr pfsync 4
@@ -2514,6 +2514,9 @@ Limit the rate of new connections over a time interval.
 The connection rate is an approximation calculated as a moving average.
 .El
 .Pp
+When one of these limits is reached, further packets that would create
+state are dropped until existing states time out.
+.Pp
 Because the 3-way handshake ensures that the source address is not being
 spoofed, more aggressive action can be taken based on these limits.
 With the