summaryrefslogtreecommitdiff
path: root/share
diff options
context:
space:
mode:
authorJason McIntyre <jmc@cvs.openbsd.org>2011-02-01 17:31:48 +0000
committerJason McIntyre <jmc@cvs.openbsd.org>2011-02-01 17:31:48 +0000
commit169b1050b2b533314ef47a5b646cf073b2f70065 (patch)
tree1651b81f5635fd579e45216799ad6552fa3760bc /share
parent563df0892b2a6f7031c1e2337b60c211ba1cfdaf (diff)
- remove an ambiguity regarding the state description. i used part of a
diff from patrick keshishian on misc for this - document that packets passed by default, matching neither block nor pass rules, are effectively created with "no state"; as discovered by tedu ...after much discussion on misc and with henning
Diffstat (limited to 'share')
-rw-r--r--share/man/man5/pf.conf.514
1 files changed, 10 insertions, 4 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 73330d1b481..e777c1ffd24 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.488 2011/01/23 23:34:18 henning Exp $
+.\" $OpenBSD: pf.conf.5,v 1.489 2011/02/01 17:31:47 jmc Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: January 23 2011 $
+.Dd $Mdocdate: February 1 2011 $
.Dt PF.CONF 5
.Os
.Sh NAME
@@ -126,8 +126,8 @@ By default
filters packets statefully:
the first time a packet matches a
.Ar pass
-rule, a state entry is created; for subsequent packets the filter checks
-whether the packet matches any state.
+rule, a state entry is created.
+The packet filter examines each packet to see if it matches an existing state.
If it does, the packet is passed without evaluation of any rules.
After the connection is closed or times out, the state entry is automatically
removed.
@@ -1919,6 +1919,12 @@ the
.Ar no state
keyword can be used to specify that state will not be created
if this is the last matching rule.
+Note that packets which match neither block nor pass rules,
+and thus are passed by default,
+are effectively passed as if
+.Ar no state
+had been specified.
+.Pp
A number of parameters can also be set to affect how
.Xr pf 4
handles state tracking,