Diffusion FreeBSD src repository ff11f1c8c76c

pf: add a generic packet rate matching filter
ff11f1c8c76c
Actions

Tags

None

Referenced Files

None

Subscribers

None

Description

pf: add a generic packet rate matching filter

allows things like
pass in proto icmp max-pkt-rate 100/10
all packets matching the rule in the direction the state was created are
taken into consideration (typically: requests, but not replies).
Just like with the other max-*, the rule stops matching if the maximum is
reached, so in typical scenarios the default block rule would kick in then.
with input from Holger Mikolon
ok mikeb

Obtained from: OpenBSD, henning <henning@openbsd.org>, 5a4ae9a9cb
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50798

Details

Provenance

kp	Authored on Jun 3 2025, 7:15 AM

Differential Revision

D50798: pf: add a generic packet rate matching filter

Parents

rG53a341d0e445: pf: use counter_rate() for rate checking

Branches

Unknown

Tags

Unknown

Event Timeline

kp committed rGff11f1c8c76c: pf: add a generic packet rate matching filter (authored by kp).Jun 25 2025, 5:56 PM

kp added an edge: D50798: pf: add a generic packet rate matching filter.Jul 18 2025, 2:44 PM

Changes (10)

Path

Size

lib/

libpfctl/

sbin/

pfctl/

share/

man/

man5/

sys/

net/

netpfil/

pf/

rGff11f1c8c76c

lib/libpfctl/libpfctl.c

Loading...

lib/libpfctl/libpfctl.h

Loading...

sbin/pfctl/parse.y

Loading...

sbin/pfctl/pfctl_parser.c

Loading...

share/man/man5/pf.conf.5

Loading...

sys/net/pfvar.h

Loading...

sys/netpfil/pf/pf.c

Loading...

sys/netpfil/pf/pf_ioctl.c

Loading...

sys/netpfil/pf/pf_nl.c

Loading...

sys/netpfil/pf/pf_nl.h

Loading...