Differential D50798

pf: add a generic packet rate matching filter
ClosedPublic
Actions

Authored by kp on Jun 11 2025, 7:40 PM.

Tags

None

Referenced Files

	F154282637: D50798.id.diff
	Mon, Apr 27, 2:23 PM

	Unknown Object (File)
	Sat, Apr 25, 5:18 AM

	Unknown Object (File)
	Fri, Apr 24, 1:28 PM

	Unknown Object (File)
	Tue, Apr 21, 11:37 AM

	Unknown Object (File)
	Sun, Apr 19, 4:46 PM

	Unknown Object (File)
	Sun, Apr 12, 9:38 AM

	Unknown Object (File)
	Thu, Apr 9, 8:56 PM

	Unknown Object (File)
	Mon, Apr 6, 1:20 PM

View All 87 Files

Subscribers

vegeta_tuxpowered.net

Details

Reviewers

None

Group Reviewers

Commits

rGff11f1c8c76c: pf: add a generic packet rate matching filter

Summary

allows things like
pass in proto icmp max-pkt-rate 100/10
all packets matching the rule in the direction the state was created are
taken into consideration (typically: requests, but not replies).
Just like with the other max-*, the rule stops matching if the maximum is
reached, so in typical scenarios the default block rule would kick in then.
with input from Holger Mikolon
ok mikeb

Obtained from: OpenBSD, henning <henning@openbsd.org>, 5a4ae9a9cb
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kp created this revision.Jun 11 2025, 7:40 PM

Herald added subscribers: ziaee, vegeta_tuxpowered.net, glebius and 4 others. · View Herald TranscriptJun 11 2025, 7:40 PM

kp requested review of this revision.Jun 11 2025, 7:40 PM

Harbormaster completed remote builds in B64766: Diff 156838.Jun 11 2025, 7:40 PM

kp added a parent revision: D50797: pf: use counter_rate() for rate checking.Jun 11 2025, 7:40 PM

This revision was not accepted when it landed; it landed in state Needs Review.Jul 18 2025, 2:44 PM

Closed by commit rGff11f1c8c76c: pf: add a generic packet rate matching filter (authored by kp). · Explain Why

This revision was automatically updated to reflect the committed changes.

kp added a commit: rGff11f1c8c76c: pf: add a generic packet rate matching filter.

Revision Contents
Changeset List

Path

Size

lib/

libpfctl/

15 lines

34 lines

sbin/

pfctl/

24 lines

3 lines

share/

man/

man5/

19 lines

sys/

net/

1 line

netpfil/

pf/

11 lines

4 lines

1 line

13 lines

Diff 158743

lib/libpfctl/libpfctl.h

Loading...

lib/libpfctl/libpfctl.c

Loading...

sbin/pfctl/parse.y

Loading...

sbin/pfctl/pfctl_parser.c

Loading...

share/man/man5/pf.conf.5

Loading...

sys/net/pfvar.h

Loading...

sys/netpfil/pf/pf.c

Loading...

sys/netpfil/pf/pf_ioctl.c

Loading...

sys/netpfil/pf/pf_nl.h

Loading...

sys/netpfil/pf/pf_nl.c

Loading...