Hmmm... It appears that I've misinterpreted the syntax rules, then, as from pf.conf(5) it looks like the only dependency is is that
flush requires
overload.
Code:
state-opt = ( "max" number | "no-sync" | timeout | "sloppy" |
"pflow" | "source-track" [ ( "rule" | "global" ) ] |
"max-src-nodes" number | "max-src-states" number |
"max-src-conn" number |
"max-src-conn-rate" number "/" number |
"overload" "<" string ">" [ "flush" [ "global" ] ] |
"if-bound" | "floating" )
I've never had a desire to honeypot, so I've never tried something like setting
max-src-nodes to 0 to see if that elimates state or if it sets no limit. Instead I've used
overload or
overload with
flush where I wished to stop bad behavior.
To the best of my recollection, PF tables are manipulated only via pfctl(8) commands or stateful options.