diff options
Diffstat (limited to 'share')
| -rw-r--r-- | share/man/man5/pf.conf.5 | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 117207a05b5..c0f85cc6f7f 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.569 2017/10/14 06:50:21 jmc Exp $ +.\" $OpenBSD: pf.conf.5,v 1.570 2017/11/13 11:30:11 henning Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" Copyright (c) 2003 - 2013 Henning Brauer <henning@openbsd.org> @@ -28,7 +28,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: October 14 2017 $ +.Dd $Mdocdate: November 13 2017 $ .Dt PF.CONF 5 .Os .Sh NAME @@ -626,6 +626,22 @@ The macro expansion for the .Cm label directive occurs only at configuration file parse time, not during runtime. .Pp +.It Cm max-pkt-rate Ar number Ns / Ns Ar seconds +Measure the rate of packets matching the rule and states created by it. +When the specified rate is exceeded, the rule stops matching. +Only packets in the direction in which the state was created are considered, +so that typically requests are counted and replies are not. +For example: +.Pp +.Bd -literal -offset indent -compact +block in proto icmp +pass in proto icmp max-pkt-rate 100/10 +.Ed +.Pp +passes up to 100 icmp packets per 10 seconds. +When the rate is exceeded, all icmp is blocked until the rate falls below +100 per 10 seconds again. +.Pp .It Cm once Creates a one shot rule that will remove itself from an active ruleset after the first match. @@ -2692,6 +2708,7 @@ filteropt = user | group | flags | icmp-type | icmp6-type | "divert-packet" "port" port | "divert-reply" | "divert-to" host "port" port | "label" string | "tag" string | [ "!" ] "tagged" string | + "max-pkt-rate" number "/" seconds | "set prio" ( number | "(" number [ [ "," ] number ] ")" ) | "set queue" ( string | "(" string [ [ "," ] string ] ")" ) | "rtable" number | "probability" number"%" | "prio" number | |