Sync documentation with code on the matter of max state limit behavior.

When one of the state limits is reached, further packets that would
create state are dropped, until existing states time out.  Discussed
with mcbride, ok henning, jmc

1 files changed, 6 insertions, 3 deletions

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index e41109de68f..b73458480d4 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.505 2011/08/08 02:50:57 mcbride Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.506 2011/08/16 14:48:39 mikeb Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 8 2011 $
+.Dd $Mdocdate: August 16 2011 $
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -2068,7 +2068,7 @@ States are bound to an interface
 .It Ar max Aq Ar number
 Limits the number of concurrent states the rule may create.
 When this limit is reached, further packets that would create
-state will not match this rule until existing states time out.
+state are dropped until existing states time out.
 .It Ar no-sync
 Prevent state changes for states created by this rule from appearing on the
 .Xr pfsync 4
@@ -2153,6 +2153,9 @@ Limit the rate of new connections over a time interval.
 The connection rate is an approximation calculated as a moving average.
 .El
 .Pp
+When one of these limits is reached, further packets that would create
+state are dropped until existing states time out.
+.Pp
 Because the 3-way handshake ensures that the source address is not being
 spoofed, more aggressive action can be taken based on these limits.
 With the