diff options
author | Jason McIntyre <jmc@cvs.openbsd.org> | 2011-02-01 17:31:48 +0000 |
---|---|---|
committer | Jason McIntyre <jmc@cvs.openbsd.org> | 2011-02-01 17:31:48 +0000 |
commit | 169b1050b2b533314ef47a5b646cf073b2f70065 (patch) | |
tree | 1651b81f5635fd579e45216799ad6552fa3760bc /share | |
parent | 563df0892b2a6f7031c1e2337b60c211ba1cfdaf (diff) |
- remove an ambiguity regarding the state description. i used part of a
diff from patrick keshishian on misc for this
- document that packets passed by default, matching neither block nor
pass rules, are effectively created with "no state"; as discovered by tedu
...after much discussion on misc and with henning
Diffstat (limited to 'share')
-rw-r--r-- | share/man/man5/pf.conf.5 | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 73330d1b481..e777c1ffd24 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.488 2011/01/23 23:34:18 henning Exp $ +.\" $OpenBSD: pf.conf.5,v 1.489 2011/02/01 17:31:47 jmc Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 23 2011 $ +.Dd $Mdocdate: February 1 2011 $ .Dt PF.CONF 5 .Os .Sh NAME @@ -126,8 +126,8 @@ By default filters packets statefully: the first time a packet matches a .Ar pass -rule, a state entry is created; for subsequent packets the filter checks -whether the packet matches any state. +rule, a state entry is created. +The packet filter examines each packet to see if it matches an existing state. If it does, the packet is passed without evaluation of any rules. After the connection is closed or times out, the state entry is automatically removed. @@ -1919,6 +1919,12 @@ the .Ar no state keyword can be used to specify that state will not be created if this is the last matching rule. +Note that packets which match neither block nor pass rules, +and thus are passed by default, +are effectively passed as if +.Ar no state +had been specified. +.Pp A number of parameters can also be set to affect how .Xr pf 4 handles state tracking, |