From nobody Thu Sep 25 12:41:33 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4cXYHd33nlz68ScD;
	Thu, 25 Sep 2025 12:41:33 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4cXYHd2YBRz42S0;
	Thu, 25 Sep 2025 12:41:33 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1758804093;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=0Iv67bnD/EpW112cS+k4NUdHXqa99dBdwbM3LA+ubp8=;
	b=NCBtyvSvsrrt1TjKgLukzUE1Ybjz+7LE9kmrx/AxkniGUj1JELm7uUTBHywejEnyPK0LUW
	oL1tp5HxLoRBOs6ZgyHjjvKRqZRyPYPJIFTGD4LyPDtrNAI7Ad8hMcLaJ3ANPcWrUq4Y5Q
	hsaVHyLeO+jdCinLwMj+LfUEUZXOsS9I9ydHCUnxBJJBorVO76c6vUW6phCFqbrbx/KZmP
	mcNMBIazxsCQA2rm9pLyGb8Gst/1MoAFAsA1+q9Q3IideD8G7CekP7aanxkr+8dXCGEZsW
	JmcyuwMGQMMoFN4nSmP7s0RQBzA9+0cyRYnY3l8FZuC7k9GabhEhk0RWFfEETQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1758804093;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=0Iv67bnD/EpW112cS+k4NUdHXqa99dBdwbM3LA+ubp8=;
	b=FNiAP58fABPdymvmzewTNLCS3Z9q/huF+Lz6JsgXd8Rb+LCuLvfgeq7M4EPjqAWKr6ilAx
	vPNkGmSztjpkG47ay9yDpScyUCwB1zk7CI9BuCym6DvcXx9BhD3Q+p7eiQb9OOxlgXpm7u
	5ytn/UGMFlZ49L37wlaac/AyiESz22LX8alstSfwGLWcQD7hMpoBy31j8NTUwLYS+ZOL8j
	sOBGow/BPL++IS51F8KLv7OdktLalEjj0AhyMm6Xr2/sCxzgvlU/B73a0iiWtb8W++Ej/5
	zkUCZlxnAwz8zINwy0dXAtJhXoRjps+YSO3ZDj1o+0HR2MAf0QC/MBGuMsevRQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1758804093; a=rsa-sha256; cv=none;
	b=RG9sqn47OySNmXX2td2gfltZXu5JXfiHAiXIHm1EAIbX24xq9iIEkzdc5qYQmLFKheN5gE
	XOaVMDfXA9muzBjsnh+Ff98dtWkagb1nUuPIj3KGyW95kOp+vmfrOQj+drhF1d0ZL5pSXb
	imLgxmXQgK6gRiobOlJOt9HfwgpRxTFpjbdcz/ViSulDdQHkpoIuB2NRClgVTXeasg9jcx
	tfrmWDF/jT2jk2YAhxeP80rWpnxTkmQRZvxCQ4hvYZ9uuigjFZ19d/kXHI72YnQzF6g/nS
	sl3FI2S5/pAtGwPWYxol6ra+TleTMq+qiXao0tmICfdB5lkjjw47yuaw0ztSbA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4cXYHd1phCz1GsN;
	Thu, 25 Sep 2025 12:41:33 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 58PCfXHY000784;
	Thu, 25 Sep 2025 12:41:33 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 58PCfXlb000781;
	Thu, 25 Sep 2025 12:41:33 GMT
	(envelope-from git)
Date: Thu, 25 Sep 2025 12:41:33 GMT
Message-Id: <202509251241.58PCfXlb000781@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: af922319e813 - main - pf: support one shot rules
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: af922319e8136a818bc6c38440d98a574c5df7a9
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=af922319e8136a818bc6c38440d98a574c5df7a9

commit af922319e8136a818bc6c38440d98a574c5df7a9
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-08-27 10:02:51 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-09-25 12:41:07 +0000

    pf: support one shot rules
    
    Add support for one shot rules that remove themselves from an active
    ruleset after match.
    This is an extremely handy technique for firewall proxies.
    
    ok henning, mcbride
    
    Note that the FreeBSD implementation differs significantly from the OpenBSD
    version due to locking differences. We do not remove the rule, but mark it as
    having fired previously so we can skip it.
    
    Obtained from:  OpenBSD, mikeb <mikeb@openbsd.org>, c981122504
    Obtained from:  OpenBSD, sashan <sashan@openbsd.org>, a21b78cad0 (partial)
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf.c | 19 +++++++++++++++++++
 sys/netpfil/pf/pf.h |  2 ++
 2 files changed, 21 insertions(+)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index be00aff1f5cb..450e465e926a 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5633,6 +5633,9 @@ pf_match_rule(struct pf_test_ctx *ctx, struct pf_kruleset *ruleset)
 			*ctx->rm = ctx->pd->related_rule;
 			break;
 		}
+		PF_TEST_ATTRIB(r->rule_flag & PFRULE_EXPIRED,
+		    TAILQ_NEXT(r, entries));
+		/* Don't count expired rule evaluations. */
 		pf_counter_u64_add(&r->evaluations, 1);
 		PF_TEST_ATTRIB(pfi_kkif_match(r->kif, pd->kif) == r->ifnot,
 			r->skip[PF_SKIP_IFP]);
@@ -5736,6 +5739,21 @@ pf_match_rule(struct pf_test_ctx *ctx, struct pf_kruleset *ruleset)
 		if (r->tag)
 			ctx->tag = r->tag;
 		if (r->anchor == NULL) {
+
+			if (r->rule_flag & PFRULE_ONCE) {
+				uint32_t	rule_flag;
+
+				rule_flag = r->rule_flag;
+				if ((rule_flag & PFRULE_EXPIRED) == 0 &&
+				    atomic_cmpset_int(&r->rule_flag, rule_flag,
+				    rule_flag | PFRULE_EXPIRED)) {
+					//r->exptime = gettime();
+				} else {
+					r = TAILQ_NEXT(r, entries);
+					continue;
+				}
+			}
+
 			if (r->action == PF_MATCH) {
 				/*
 				 * Apply translations before increasing counters,
@@ -5813,6 +5831,7 @@ pf_match_rule(struct pf_test_ctx *ctx, struct pf_kruleset *ruleset)
 		r = TAILQ_NEXT(r, entries);
 	}
 
+
 	return (ctx->test_status);
 }
 
diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h
index 54ffdbed3de5..bcd66fd17d5d 100644
--- a/sys/netpfil/pf/pf.h
+++ b/sys/netpfil/pf/pf.h
@@ -637,6 +637,8 @@ struct pf_rule {
 #define	PFRULE_PFLOW		0x00040000
 #define	PFRULE_ALLOW_RELATED	0x00080000
 #define	PFRULE_AFTO		0x00200000  /* af-to rule */
+#define	PFRULE_ONCE		0x00400000  /* one shot rule */
+#define	PFRULE_EXPIRED		0x00800000  /* one shot rule hit by pkt */
 
 #ifdef _KERNEL
 #define	PFRULE_REFS		0x0080	/* rule has references */