From 8bafd332868df7da16ed8a9e44a580f1faa33110 Mon Sep 17 00:00:00 2001
From: Bram Matthys <syzop@vulnscan.org>
Date: Wed, 6 May 2026 10:28:32 +0200
Subject: [PATCH] Update example.conf with the new
 set::connthrottle::ipv6-unknown-users-limit functionality. [skip ci]

---
 doc/conf/examples/example.conf | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/doc/conf/examples/example.conf b/doc/conf/examples/example.conf
index 8ed0195fa..61511b08e 100644
--- a/doc/conf/examples/example.conf
+++ b/doc/conf/examples/example.conf
@@ -643,6 +643,23 @@ set {
 			global-throttle 30:60;
 		}
 
+		/* For IPv6 users, on top of 'maxperip' (which limits
+		 * connections per /64), connthrottle also limits how
+		 * many unknown users can be online from wider IPv6
+		 * prefixes (/56, /48, /32). This is an additional
+		 * security measure, separate from the rate-throttle
+		 * above. People in the security-group "known-users"
+		 * bypass this, as well as set::connthrottle::except.
+		 * The defaults below should fit most networks unchanged.
+		 * Uncomment to tune. Set a cidr-xx item to max 0;
+		 * to disable it.
+		 */
+		//ipv6-unknown-users-limit {
+		//	cidr-56 { max 8; }
+		//	cidr-48 { max 32; }
+		//	cidr-32 { max 256; }
+		//}
+
 		/* This configures when this module will NOT be active.
 		 * The default settings will disable the module when:
 		 * - The reputation module has been running for less than