From nobody Mon Jan 19 22:57:51 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dw5TD3VcTz6PTwj for ; Mon, 19 Jan 2026 22:57:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dw5TD1Tbsz46M1 for ; Mon, 19 Jan 2026 22:57:52 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1768863472; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XMd2jChycD/ugIPYA22UK5EBfLLWJuMSmIY69g2W/BE=; b=rTo4i+tU8iiaewZ1aH1IJFj2twuLoJAvOCmpWI4xS/isWL2dQmsda8sZSds/9E3kEbXR1W e4jBpobZq69pqVv6XdT2BSIxSJNmJI/EFuIVB7XtTvrObDHdxZB9qYFZv0cFWEnq0EDzL9 IHdZKmQNyTCAImTHB90kY1qaP2geiXwz1UVviYLderoHxtwTaaSAYRfk0Pzet4+iTb2mTo u9bVk5JQHy2LWipIgOm9Zx4CrKuk0xX7ojRP3T5lNoeBoqs/GO2uhqGoKe90O9OrTYFVqV nZ3bX0RvvdLrpe5NGjSjVP4zNen4c0UDBPcI4XPt5YxOFFV/WOjDm9Nndj7xgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1768863472; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XMd2jChycD/ugIPYA22UK5EBfLLWJuMSmIY69g2W/BE=; b=AFIzs0esLMNbrL+14eX0LvlBrbA23nH9KQE82n3aAPgdsLOtlqQDOzgH0gY4vL5+GLykvy 9dyXHjNEJ9wATW+jxnGxkaA+Ks7t2JuMFnAHeA36IOEDdRXJDAvhDJ2BKUcHEaeQfMOiYW qwrBGXgP9zNmdbFZPURoVwDHYViyvOzO0lQm6UeLz3JwzKuVgGmBR4RYEkdBu0npEUo7Tv doQtsmQIoH9cGcb7eYZgWYLBBxCNzSPNneTkP4kbLkBhdbxo8bzksmjaaIcnclPzqcDBxO CRKXvIw/Vitm3cQ1dQFH2qy/6AWP83oiir8AiVtEQzXTI47XLSiQ1Ua5AggWoA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1768863472; a=rsa-sha256; cv=none; b=C8J78W3lKoVnT6FF9lTadnQRXk4YQXERiFCLA9eJE3jNga/8RnSkmvBX8po+e+/fyLHnJ9 8ycJK9xc/EWPa9Ntq/HTtlM1GooZ/IgzjHjM/R2kSu2Jvb2QRAP3OGftTkn0nYE9gXnikh 0neZcfWTK7Yco4nWRWnmoOHzTCfiX9VDmaI7CJSkArCZ3Rgo0mVSg90MyAUX2ZCOuHijJw CP5fMRkxbr+Ny+RJvLkonMoNyrJG8V85h+Mlnapp8wrtmgMwM/jfm/qmxlLyr/u2zMsIDL w97tevwsQ730c7X0VhfvagopbZWbOPEp7yFXUVq2EPwmVGkCp3LvUhddNTR5Jg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dw5TD0Jpnzs49 for ; Mon, 19 Jan 2026 22:57:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3a4ac by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 19 Jan 2026 22:57:51 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 2e0e45a516b9 - main - pfctl(8): change default limiter action from no-match to block List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 2e0e45a516b93cc72771a5de8b87cd0a07a55f07 Auto-Submitted: auto-generated Date: Mon, 19 Jan 2026 22:57:51 +0000 Message-Id: <696eb6ef.3a4ac.5e216a0a@gitrepo.freebsd.org> The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=2e0e45a516b93cc72771a5de8b87cd0a07a55f07 commit 2e0e45a516b93cc72771a5de8b87cd0a07a55f07 Author: Kristof Provost AuthorDate: 2026-01-16 17:30:55 +0000 Commit: Kristof Provost CommitDate: 2026-01-19 22:04:55 +0000 pfctl(8): change default limiter action from no-match to block pf(4) users who use limiters in current should update the rules accordingly to reflect the change in default behavior. The existing rule which reads as follows: pass in from any to any state limiter test needs to be changed to: pass in from any to any state limiter test (no-match) OK dlg@ Obtained from: OpenBSD, sashan , c600931321 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/parse.y | 2 +- sbin/pfctl/tests/files/pf1076.in | 2 +- sbin/pfctl/tests/files/pf1077.ok | 2 +- share/man/man5/pf.conf.5 | 22 +++++++++++----------- sys/netpfil/pf/pf.h | 2 ++ tests/sys/netpfil/pf/limiters.sh | 6 +++--- 6 files changed, 19 insertions(+), 17 deletions(-) diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 72589f309f54..57a5140ffeb7 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -2787,7 +2787,7 @@ sourcelim_filter_opt } ; -limiter_opt_spec: /* empty */ { $$ = PF_LIMITER_NOMATCH; } +limiter_opt_spec: /* empty */ { $$ = PF_LIMITER_DEFAULT; } | '(' limiter_opt ')' { $$ = $2; } ; diff --git a/sbin/pfctl/tests/files/pf1076.in b/sbin/pfctl/tests/files/pf1076.in index af815fd4c5ef..117fb90a11d2 100644 --- a/sbin/pfctl/tests/files/pf1076.in +++ b/sbin/pfctl/tests/files/pf1076.in @@ -1,2 +1,2 @@ state limiter "dns-server" id 1 limit 1000 rate 1/10 -pass in proto tcp to port domain state limiter "dns-server" +pass in proto tcp to port domain state limiter "dns-server" (no-match) diff --git a/sbin/pfctl/tests/files/pf1077.ok b/sbin/pfctl/tests/files/pf1077.ok index 834399c40d8a..4a7cb3606aef 100644 --- a/sbin/pfctl/tests/files/pf1077.ok +++ b/sbin/pfctl/tests/files/pf1077.ok @@ -1,2 +1,2 @@ source limiter dns-server id 1 entries 2 limit 3 rate 4/5 inet mask 16 -pass in proto tcp from any to any port = domain flags S/SA keep state source limiter id 1 (no-match) +pass in proto tcp from any to any port = domain flags S/SA keep state source limiter id 1 (block) diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index aa3899e48596..707053233e5a 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 12, 2026 +.Dd January 16, 2026 .Dt PF.CONF 5 .Os .Sh NAME @@ -2368,12 +2368,12 @@ block in proto icmp probability 20% .It Cm state limiter Ar name Oo Cm (limiter options) Oc Use the specified state limiter to restrict the creation of states by this rule. -By default if capacity is not available, the rule is ignored -and ruleset evaluation continues with next rule.. +By default if capacity is not available, the packet gets blocked +and ruleset evaluation stops. Use -.Ic block -option to change default behavior such packet is blocked -when limit is reached. +.Ic no-match +option to change default behavior such rule is ignored and ruleset +evaluation continues with next rule. See the .Sx State Limiters section for more information. @@ -2381,12 +2381,12 @@ section for more information. .It Cm source limiter Ar name Oo Cm (limiter options) Oc Use the specified source limiter to restrict the creation of states by this rule. -By default if capacity is not available, the rule is ignored -and ruleset evaluation continues with next rule.. +By default if capacity is not available, the packet gets blocked +and ruleset evaluation stops. Use -.Ic block -option to change default behavior such packet is blocked -when limit is reached. +.Ic no-match +option to change default behavior such rule is ignored and ruleset +evaluation continues with next rule. See the .Sx Source Limiters section for more information. diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h index 4c950c7eab9c..09bcd424db3e 100644 --- a/sys/netpfil/pf/pf.h +++ b/sys/netpfil/pf/pf.h @@ -506,6 +506,8 @@ enum { PF_LIMITER_BLOCK }; +#define PF_LIMITER_DEFAULT PF_LIMITER_BLOCK + struct pf_rule { struct pf_rule_addr src; struct pf_rule_addr dst; diff --git a/tests/sys/netpfil/pf/limiters.sh b/tests/sys/netpfil/pf/limiters.sh index 4775039a4a94..8d9a199db787 100644 --- a/tests/sys/netpfil/pf/limiters.sh +++ b/tests/sys/netpfil/pf/limiters.sh @@ -54,7 +54,7 @@ state_basic_body() "set timeout icmp.error 120" \ "state limiter \"server\" id 1 limit 1" \ "block in proto icmp" \ - "pass in proto icmp state limiter \"server\"" + "pass in proto icmp state limiter \"server\" (no-match)" atf_check -s exit:0 -o ignore \ ping -c 2 192.0.2.1 @@ -103,7 +103,7 @@ state_rate_body() "set timeout icmp.error 120" \ "state limiter \"server\" id 1 limit 1000 rate 1/5" \ "block in proto icmp" \ - "pass in proto icmp state limiter \"server\"" + "pass in proto icmp state limiter \"server\" (no-match)" atf_check -s exit:0 -o ignore \ ping -c 2 192.0.2.1 @@ -217,7 +217,7 @@ source_basic_body() "set timeout icmp.error 120" \ "source limiter \"server\" id 1 entries 128 limit 1" \ "block in proto icmp" \ - "pass in proto icmp source limiter \"server\"" + "pass in proto icmp source limiter \"server\" (no-match)" atf_check -s exit:0 -o ignore \ ping -S 192.0.2.2 -c 2 192.0.2.1