diff options
| author | Henning Brauer <henning@cvs.openbsd.org> | 2017-11-13 11:30:12 +0000 |
|---|---|---|
| committer | Henning Brauer <henning@cvs.openbsd.org> | 2017-11-13 11:30:12 +0000 |
| commit | da34c0e0269decb017a680092e02d33530b4e0a5 (patch) | |
| tree | 44842a7d58c38dfae36b72fab509fe77f624b088 /share | |
| parent | 564d693f1d76ac81f1703fee00bbbdc93fbda60b (diff) | |
add a generic packet rate matching filter. allows things like
pass in proto icmp max-pkt-rate 100/10
all packets matching the rule in the direction the state was created are
taken into consideration (typically: requests, but not replies).
Just like with the other max-*, the rule stops matching if the maximum is
reached, so in typical scenarios the default block rule would kick in then.
with input from Holger Mikolon
ok mikeb
Diffstat (limited to 'share')
| -rw-r--r-- | share/man/man5/pf.conf.5 | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 117207a05b5..c0f85cc6f7f 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.569 2017/10/14 06:50:21 jmc Exp $ +.\" $OpenBSD: pf.conf.5,v 1.570 2017/11/13 11:30:11 henning Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" Copyright (c) 2003 - 2013 Henning Brauer <henning@openbsd.org> @@ -28,7 +28,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: October 14 2017 $ +.Dd $Mdocdate: November 13 2017 $ .Dt PF.CONF 5 .Os .Sh NAME @@ -626,6 +626,22 @@ The macro expansion for the .Cm label directive occurs only at configuration file parse time, not during runtime. .Pp +.It Cm max-pkt-rate Ar number Ns / Ns Ar seconds +Measure the rate of packets matching the rule and states created by it. +When the specified rate is exceeded, the rule stops matching. +Only packets in the direction in which the state was created are considered, +so that typically requests are counted and replies are not. +For example: +.Pp +.Bd -literal -offset indent -compact +block in proto icmp +pass in proto icmp max-pkt-rate 100/10 +.Ed +.Pp +passes up to 100 icmp packets per 10 seconds. +When the rate is exceeded, all icmp is blocked until the rate falls below +100 per 10 seconds again. +.Pp .It Cm once Creates a one shot rule that will remove itself from an active ruleset after the first match. @@ -2692,6 +2708,7 @@ filteropt = user | group | flags | icmp-type | icmp6-type | "divert-packet" "port" port | "divert-reply" | "divert-to" host "port" port | "label" string | "tag" string | [ "!" ] "tagged" string | + "max-pkt-rate" number "/" seconds | "set prio" ( number | "(" number [ [ "," ] number ] ")" ) | "set queue" ( string | "(" string [ [ "," ] string ] ")" ) | "rtable" number | "probability" number"%" | "prio" number | |