The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=2e0e45a516b93cc72771a5de8b87cd0a07a55f07
commit 2e0e45a516b93cc72771a5de8b87cd0a07a55f07 Author: Kristof Provost <[email protected]> AuthorDate: 2026-01-16 17:30:55 +0000 Commit: Kristof Provost <[email protected]> CommitDate: 2026-01-19 22:04:55 +0000 pfctl(8): change default limiter action from no-match to block pf(4) users who use limiters in current should update the rules accordingly to reflect the change in default behavior. The existing rule which reads as follows: pass in from any to any state limiter test needs to be changed to: pass in from any to any state limiter test (no-match) OK dlg@ Obtained from: OpenBSD, sashan <[email protected]>, c600931321 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/parse.y | 2 +- sbin/pfctl/tests/files/pf1076.in | 2 +- sbin/pfctl/tests/files/pf1077.ok | 2 +- share/man/man5/pf.conf.5 | 22 +++++++++++----------- sys/netpfil/pf/pf.h | 2 ++ tests/sys/netpfil/pf/limiters.sh | 6 +++--- 6 files changed, 19 insertions(+), 17 deletions(-) diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 72589f309f54..57a5140ffeb7 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -2787,7 +2787,7 @@ sourcelim_filter_opt } ; -limiter_opt_spec: /* empty */ { $$ = PF_LIMITER_NOMATCH; } +limiter_opt_spec: /* empty */ { $$ = PF_LIMITER_DEFAULT; } | '(' limiter_opt ')' { $$ = $2; } ; diff --git a/sbin/pfctl/tests/files/pf1076.in b/sbin/pfctl/tests/files/pf1076.in index af815fd4c5ef..117fb90a11d2 100644 --- a/sbin/pfctl/tests/files/pf1076.in +++ b/sbin/pfctl/tests/files/pf1076.in @@ -1,2 +1,2 @@ state limiter "dns-server" id 1 limit 1000 rate 1/10 -pass in proto tcp to port domain state limiter "dns-server" +pass in proto tcp to port domain state limiter "dns-server" (no-match) diff --git a/sbin/pfctl/tests/files/pf1077.ok b/sbin/pfctl/tests/files/pf1077.ok index 834399c40d8a..4a7cb3606aef 100644 --- a/sbin/pfctl/tests/files/pf1077.ok +++ b/sbin/pfctl/tests/files/pf1077.ok @@ -1,2 +1,2 @@ source limiter dns-server id 1 entries 2 limit 3 rate 4/5 inet mask 16 -pass in proto tcp from any to any port = domain flags S/SA keep state source limiter id 1 (no-match) +pass in proto tcp from any to any port = domain flags S/SA keep state source limiter id 1 (block) diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index aa3899e48596..707053233e5a 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 12, 2026 +.Dd January 16, 2026 .Dt PF.CONF 5 .Os .Sh NAME @@ -2368,12 +2368,12 @@ block in proto icmp probability 20% .It Cm state limiter Ar name Oo Cm (limiter options) Oc Use the specified state limiter to restrict the creation of states by this rule. -By default if capacity is not available, the rule is ignored -and ruleset evaluation continues with next rule.. +By default if capacity is not available, the packet gets blocked +and ruleset evaluation stops. Use -.Ic block -option to change default behavior such packet is blocked -when limit is reached. +.Ic no-match +option to change default behavior such rule is ignored and ruleset +evaluation continues with next rule. See the .Sx State Limiters section for more information. @@ -2381,12 +2381,12 @@ section for more information. .It Cm source limiter Ar name Oo Cm (limiter options) Oc Use the specified source limiter to restrict the creation of states by this rule. -By default if capacity is not available, the rule is ignored -and ruleset evaluation continues with next rule.. +By default if capacity is not available, the packet gets blocked +and ruleset evaluation stops. Use -.Ic block -option to change default behavior such packet is blocked -when limit is reached. +.Ic no-match +option to change default behavior such rule is ignored and ruleset +evaluation continues with next rule. See the .Sx Source Limiters section for more information. diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h index 4c950c7eab9c..09bcd424db3e 100644 --- a/sys/netpfil/pf/pf.h +++ b/sys/netpfil/pf/pf.h @@ -506,6 +506,8 @@ enum { PF_LIMITER_BLOCK }; +#define PF_LIMITER_DEFAULT PF_LIMITER_BLOCK + struct pf_rule { struct pf_rule_addr src; struct pf_rule_addr dst; diff --git a/tests/sys/netpfil/pf/limiters.sh b/tests/sys/netpfil/pf/limiters.sh index 4775039a4a94..8d9a199db787 100644 --- a/tests/sys/netpfil/pf/limiters.sh +++ b/tests/sys/netpfil/pf/limiters.sh @@ -54,7 +54,7 @@ state_basic_body() "set timeout icmp.error 120" \ "state limiter \"server\" id 1 limit 1" \ "block in proto icmp" \ - "pass in proto icmp state limiter \"server\"" + "pass in proto icmp state limiter \"server\" (no-match)" atf_check -s exit:0 -o ignore \ ping -c 2 192.0.2.1 @@ -103,7 +103,7 @@ state_rate_body() "set timeout icmp.error 120" \ "state limiter \"server\" id 1 limit 1000 rate 1/5" \ "block in proto icmp" \ - "pass in proto icmp state limiter \"server\"" + "pass in proto icmp state limiter \"server\" (no-match)" atf_check -s exit:0 -o ignore \ ping -c 2 192.0.2.1 @@ -217,7 +217,7 @@ source_basic_body() "set timeout icmp.error 120" \ "source limiter \"server\" id 1 entries 128 limit 1" \ "block in proto icmp" \ - "pass in proto icmp source limiter \"server\"" + "pass in proto icmp source limiter \"server\" (no-match)" atf_check -s exit:0 -o ignore \ ping -S 192.0.2.2 -c 2 192.0.2.1
