From nobody Thu Sep 25 12:41:42 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cXYHp645hz68SZ7;
	Thu, 25 Sep 2025 12:41:42 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cXYHp2CB6z42WF;
	Thu, 25 Sep 2025 12:41:42 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1758804102;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=NTzwiz+xIKfcEc7FEf/as45Brl4vwQM6yfufjlhKXhY=;
	b=Gx39WGU2iOizvA69m7IIWFk1aN/bZbLDc4rg3Be1r8ScDI4cm1MPttZQbvrisOaCFiM92R
	ehGvv9qidbMvaWuBPuVBLJ6Xwi4P0WLfmuG1F7/1M7gMvCv569qhTTJO1BbZkzfLxmuMs1
	19orwCDvlXE5dTXTf6CQ3Cy3cmNEWIpbxz8bjqMMZ0wDf9cTi6MYVjPvkldhfGo6nIaW8e
	IZkBhBIwqVcrqfsGbb+oyovT+5GK5ZID+JRvYIlnAN11kNMIOmPQllvGYp62cI1D2e1sDa
	wiC/TwbAY1UyU8VL6aQ7WWHuVItXPeQkkLufv4c4H9IvAW4mn+rKBSBtNgQxBg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1758804102;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=NTzwiz+xIKfcEc7FEf/as45Brl4vwQM6yfufjlhKXhY=;
	b=RedH7avXCowB4d3/aB3coBLCcYw4vloVSRCw4iG9HVnQedA2iaFBqiKwWruwhY2uCNGhIc
	dMKvqqM1eUJfbI33YvULdS/xPcmXnM+HMlAKx1EGrkVcxu15OeDwwJy+jE0LlYcgFTVxtY
	3KdWzkYuKwUDDZqFVWoaGaSllMqC3qLclb7TwIl8G9qUBF4zDcn4G0sXW2mnRCMOS1h2GQ
	0YpuZ2Fudom0Yj9oP7Kzjf0aWEyyNAASOi1ZLGlDthxgZn1MHVM9Gp/GUGPlnZa33YbKNI
	mZlHmTdZvb0hPS7E31tT9fRHtCPnYG9IOGtQe6XDqmgG6B+ElqWl8xjheFqjPQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1758804102; a=rsa-sha256; cv=none;
	b=AMEapJOAio9kCb2buy8A4QmjvZ6jg/QWpPciIJJq+HHnDKaKqOJq1+ir7H9XR6fa+St2Ik
	EntzCP93/MDSjCQdt6iehek734RF+92f+4s/2VqgmbAQQ64suopH7BmSHiawvZvSMdmMPv
	cppbgoO+zpeUY6tbCigyWbpgtIALFFy7B+jS7VtAAHIORV2xykXcw6cjhsTAOlSeAtVX2I
	k6j9dWMDSHd3EK8cp/NOERYPOSphD07XKE5hhZPyJowNIt+9e1NsfHaRPpG26hJ2E+5qtz
	ak4qOl325WdO/Kg6zfAlmDYgC8hRp22urtm/sL+7M5pxcDu5IlwVLANougM+Pg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cXYHp1hchz1GmY;
	Thu, 25 Sep 2025 12:41:42 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58PCfgxf004680;
	Thu, 25 Sep 2025 12:41:42 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58PCfgmj004677;
	Thu, 25 Sep 2025 12:41:42 GMT
	(envelope-from git)
Date: Thu, 25 Sep 2025 12:41:42 GMT
Message-Id: <202509251241.58PCfgmj004677@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: de8af57c6f41 - main - pf: simplify expiration of
  'once' rules.
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: de8af57c6f4155caa540a68387fdb02514d7e815
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=de8af57c6f4155caa540a68387fdb02514d7e815

commit de8af57c6f4155caa540a68387fdb02514d7e815
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-08-28 09:20:40 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-09-25 12:41:09 +0000

    pf: simplify expiration of 'once' rules.
    
    let packet to mark 'once' rule as expired. The rule
    will be removed by pfctl(8) when rules are updated.
    
    OK kn@
    
    Obtained from:  OpenBSD, sashan <sashan@openbsd.org>, a21b78cad0
    Obtained from:  OpenBSD, jmc <jmc@openbsd.org>, 588f4160c8
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/pfctl_parser.c |  3 +++
 share/man/man5/pf.conf.5  | 10 +++++++---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index 54d3e7c8dc79..edbc924341e0 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1291,6 +1291,9 @@ print_rule(struct pfctl_rule *r, const char *anchor_call, int verbose, int numer
 			    r->rdr.proxy_port[1], PF_RDR);
 		}
 	}
+
+	if (r->rule_flag & PFRULE_EXPIRED)
+		printf(" # expired");
 }
 
 void
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index b87401f8bb34..cb7fea467c2e 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -27,7 +27,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd August 27, 2025
+.Dd August 28, 2025
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -2259,8 +2259,12 @@ When the rate is exceeded, all ICMP is blocked until the rate falls below
 Limit each packet to be no more than the specified number of bytes.
 This includes the IP header, but not any layer 2 header.
 .It Ar once
-Creates a one shot rule that will remove itself from an active ruleset after
-the first match.
+Creates a one shot rule.
+The first matching packet marks the rule as expired;
+any expired rules are no longer evaluated.
+Expired rules are only shown in verbose mode (-vv):
+.Xr pfctl 8
+will append '# expired' to note any once rules which have already been hit.
 .Pp
 .It Xo Ar queue Aq Ar queue
 .No \*(Ba ( Aq Ar queue ,