theo and ryan and I like to scare people

1 files changed, 10 insertions, 3 deletions

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index dfa4d722bc1..8eff3ce5300 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.397 2008/05/19 14:57:31 markus Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.398 2008/06/10 04:33:04 henning Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 19 2008 $
+.Dd $Mdocdate: June 10 2008 $
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -2086,6 +2086,13 @@ Changes the timeout values used for states created by this rule.
 For a list of all valid timeout names, see
 .Sx OPTIONS
 above.
+.It Ar sloppy
+Uses a sloppy tcp connection tracker that does not check sequence
+numbers at all, which makes insertion and icmp teardown attacks way
+easier.
+This is intended to be used in situations where one does not see all
+packets of a connection, i. e. in asymmetric routing situations.
+Cannot be used with modulate or synproxy state.
 .El
 .Pp
 Multiple options can be specified, separated by commas:
@@ -2951,7 +2958,7 @@ tos            = ( "lowdelay" | "throughput" | "reliability" |
                  [ "0x" ] number )
 
 state-opts     = state-opt [ [ "," ] state-opts ]
-state-opt      = ( "max" number | "no-sync" | timeout |
+state-opt      = ( "max" number | "no-sync" | timeout | sloppy |
                  "source-track" [ ( "rule" | "global" ) ] |
                  "max-src-nodes" number | "max-src-states" number |
                  "max-src-conn" number |