Date: Thu, 25 Sep 2025 12:41:34 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 882121672704 - main - pfctl: One shot rules can be used in pf.conf by specifying a "once" filter option. Message-ID: <202509251241.58PCfY5M000815@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=8821216727043dde9cb23a66b884f7918c80063c commit 8821216727043dde9cb23a66b884f7918c80063c Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-08-27 13:41:07 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-09-25 12:41:08 +0000 pfctl: One shot rules can be used in pf.conf by specifying a "once" filter option. ok henning, mcbride Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 44b1b5a8a9 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/parse.y | 17 +++++++++++++++-- sbin/pfctl/pfctl_parser.c | 2 ++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 0628b387b4b3..c35460f5443d 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -267,7 +267,7 @@ static struct filter_opts { #define FOM_SETTOS 0x0100 #define FOM_SCRUB_TCP 0x0200 #define FOM_SETPRIO 0x0400 -#define FOM_ONCE 0x1000 /* not yet implemmented */ +#define FOM_ONCE 0x1000 #define FOM_PRIO 0x2000 #define FOM_SETDELAY 0x4000 #define FOM_FRAGCACHE 0x8000 /* does not exist in OpenBSD */ @@ -541,7 +541,7 @@ int parseport(char *, struct range *r, int); %token ALTQ CBQ CODEL PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME %token UPPERLIMIT QUEUE PRIORITY QLIMIT HOGS BUCKETS RTABLE TARGET INTERVAL %token DNPIPE DNQUEUE RIDENTIFIER -%token LOAD RULESET_OPTIMIZATION PRIO +%token LOAD RULESET_OPTIMIZATION PRIO ONCE %token STICKYADDRESS ENDPI MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE %token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY PFLOW ALLOW_RELATED %token TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS @@ -1061,6 +1061,12 @@ anchorrule : ANCHOR anchorname dir quick interface af proto fromto } } + if ($9.marker & FOM_ONCE) { + yyerror("cannot specify 'once' " + "on anchors"); + YYERROR; + } + if (filteropts_to_rule(&r, &$9)) YYERROR; @@ -2390,6 +2396,9 @@ pfrule : action dir logquick interface route af proto fromto r.quick = $3.quick; r.af = $6; + if ($9.marker & FOM_ONCE) + r.rule_flag |= PFRULE_ONCE; + if (filteropts_to_rule(&r, &$9)) YYERROR; @@ -3036,6 +3045,9 @@ filter_opt : USER uids { } filter_opts.max_pkt_size = $2; } + | ONCE { + filter_opts.marker |= FOM_ONCE; + } | filter_sets ; @@ -6725,6 +6737,7 @@ lookup(char *s) { "no-route", NOROUTE}, { "no-sync", NOSYNC}, { "on", ON}, + { "once", ONCE}, { "optimization", OPTIMIZATION}, { "os", OS}, { "out", OUT}, diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 9609e880584f..ce493570a25e 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1234,6 +1234,8 @@ print_rule(struct pfctl_rule *r, const char *anchor_call, int verbose, int numer printf(" %s %d", r->free_flags & PFRULE_DN_IS_PIPE ? "dnpipe" : "dnqueue", r->dnpipe); + if (r->rule_flag & PFRULE_ONCE) + printf(" once"); if (r->qname[0] && r->pqname[0]) printf(" queue(%s, %s)", r->qname, r->pqname); else if (r->qname[0])
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202509251241.58PCfY5M000815>