Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 25 Sep 2025 12:41:39 GMT
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 59f3838b0a94 - main - pfctl: reduce duplicate code
Message-ID:  <202509251241.58PCfdEu004601@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=59f3838b0a942b44397063ffb63a4e4d569129f1

commit 59f3838b0a942b44397063ffb63a4e4d569129f1
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-08-27 16:13:50 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-09-25 12:41:09 +0000

    pfctl: reduce duplicate code
    
    * Merge `once' handling from `anchorrule' and `pfrule'
    * Remove/shorten duplicate code block
    
    OK sashan
    
    Obtained from:  OpenBSD, kn <kn@openbsd.org>, d114b77333
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/parse.y | 23 ++++++++---------------
 1 file changed, 8 insertions(+), 15 deletions(-)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index c8c6f6047fa5..c75632c740b3 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1061,12 +1061,6 @@ anchorrule	: ANCHOR anchorname dir quick interface af proto fromto
 				}
 			}
 
-			if ($9.marker & FOM_ONCE) {
-				yyerror("cannot specify 'once' "
-				    "on anchors");
-					YYERROR;
-			}
-
 			if (filteropts_to_rule(&r, &$9))
 				YYERROR;
 
@@ -2396,15 +2390,6 @@ pfrule		: action dir logquick interface route af proto fromto
 			r.quick = $3.quick;
 			r.af = $6;
 
-			if ($9.marker & FOM_ONCE) {
-				if (r.action == PF_MATCH) {
-					yyerror("can't specify once for "
-					    "match rules");
-					YYERROR;
-				}
-				r.rule_flag |= PFRULE_ONCE;
-			}
-
 			if (filteropts_to_rule(&r, &$9))
 				YYERROR;
 
@@ -7757,6 +7742,14 @@ node_mac_from_string_mask(const char *str, const char *mask)
 int
 filteropts_to_rule(struct pfctl_rule *r, struct filter_opts *opts)
 {
+	if (opts->marker & FOM_ONCE) {
+		if (r->action != PF_PASS && r->action != PF_MATCH) {
+			yyerror("'once' only applies to pass/block rules");
+			return (1);
+		}
+		r->rule_flag |= PFRULE_ONCE;
+	}
+
 	r->keep_state = opts->keep.action;
 	r->pktrate.limit = opts->pktrate.limit;
 	r->pktrate.seconds = opts->pktrate.seconds;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202509251241.58PCfdEu004601>