Date: Thu, 25 Sep 2025 12:41:42 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: de8af57c6f41 - main - pf: simplify expiration of 'once' rules. Message-ID: <202509251241.58PCfgmj004677@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=de8af57c6f4155caa540a68387fdb02514d7e815 commit de8af57c6f4155caa540a68387fdb02514d7e815 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-08-28 09:20:40 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-09-25 12:41:09 +0000 pf: simplify expiration of 'once' rules. let packet to mark 'once' rule as expired. The rule will be removed by pfctl(8) when rules are updated. OK kn@ Obtained from: OpenBSD, sashan <sashan@openbsd.org>, a21b78cad0 Obtained from: OpenBSD, jmc <jmc@openbsd.org>, 588f4160c8 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/pfctl_parser.c | 3 +++ share/man/man5/pf.conf.5 | 10 +++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index 54d3e7c8dc79..edbc924341e0 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -1291,6 +1291,9 @@ print_rule(struct pfctl_rule *r, const char *anchor_call, int verbose, int numer r->rdr.proxy_port[1], PF_RDR); } } + + if (r->rule_flag & PFRULE_EXPIRED) + printf(" # expired"); } void diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index b87401f8bb34..cb7fea467c2e 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd August 27, 2025 +.Dd August 28, 2025 .Dt PF.CONF 5 .Os .Sh NAME @@ -2259,8 +2259,12 @@ When the rate is exceeded, all ICMP is blocked until the rate falls below Limit each packet to be no more than the specified number of bytes. This includes the IP header, but not any layer 2 header. .It Ar once -Creates a one shot rule that will remove itself from an active ruleset after -the first match. +Creates a one shot rule. +The first matching packet marks the rule as expired; +any expired rules are no longer evaluated. +Expired rules are only shown in verbose mode (-vv): +.Xr pfctl 8 +will append '# expired' to note any once rules which have already been hit. .Pp .It Xo Ar queue Aq Ar queue .No \*(Ba ( Aq Ar queue ,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202509251241.58PCfgmj004677>