Document the 'source-track' stateful tracking option. Heavy influence

from dhartmei and henning.

ok dhartmei@ henning@ jmc@ jaredy@

1 files changed, 21 insertions, 1 deletions

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index f3f69245f41..a01976b0816 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.322 2005/01/01 07:57:53 pascoe Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.323 2005/02/24 04:36:45 joel Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -1955,6 +1955,26 @@ pass in proto tcp from any to any \e
 When the
 .Ar source-track
 keyword is specified, the number of states per source IP is tracked.
+.Pp
+.Bl -tag -width xxxx -compact
+.It Ar source-track rule
+The maximum number of states created by this rule is limited by the rule's
+.Ar max-src-nodes
+and
+.Ar max-src-state
+options.
+Only state entries created by this particular rule count toward the rule's
+limits.
+.It Ar source-track global
+The number of states created by all rules that use this option is limited.
+Each rule can specify different
+.Ar max-src-nodes
+and
+.Ar max-src-states
+options, however state entries created by any participating rule count towards
+each individual rule's limits.
+.El
+.Pp
 The following limits can be set:
 .Pp
 .Bl -tag -width xxxx -compact