git: 882121672704 - main - pfctl: One shot rules can be used in pf.conf by specifying a "once" filter option.

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Thu, 25 Sep 2025 12:41:34 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=8821216727043dde9cb23a66b884f7918c80063c

commit 8821216727043dde9cb23a66b884f7918c80063c
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-08-27 13:41:07 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-09-25 12:41:08 +0000

    pfctl: One shot rules can be used in pf.conf by specifying a "once" filter option.
    
    ok henning, mcbride
    
    Obtained from:  OpenBSD, mikeb <mikeb@openbsd.org>, 44b1b5a8a9
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/parse.y        | 17 +++++++++++++++--
 sbin/pfctl/pfctl_parser.c |  2 ++
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 0628b387b4b3..c35460f5443d 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -267,7 +267,7 @@ static struct filter_opts {
 #define FOM_SETTOS	0x0100
 #define FOM_SCRUB_TCP	0x0200
 #define FOM_SETPRIO	0x0400
-#define FOM_ONCE	0x1000 /* not yet implemmented */
+#define FOM_ONCE	0x1000
 #define FOM_PRIO	0x2000
 #define FOM_SETDELAY	0x4000
 #define FOM_FRAGCACHE	0x8000 /* does not exist in OpenBSD */
@@ -541,7 +541,7 @@ int	parseport(char *, struct range *r, int);
 %token	ALTQ CBQ CODEL PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME
 %token	UPPERLIMIT QUEUE PRIORITY QLIMIT HOGS BUCKETS RTABLE TARGET INTERVAL
 %token	DNPIPE DNQUEUE RIDENTIFIER
-%token	LOAD RULESET_OPTIMIZATION PRIO
+%token	LOAD RULESET_OPTIMIZATION PRIO ONCE
 %token	STICKYADDRESS ENDPI MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE
 %token	MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY PFLOW ALLOW_RELATED
 %token	TAGGED TAG IFBOUND FLOATING STATEPOLICY STATEDEFAULTS ROUTE SETTOS
@@ -1061,6 +1061,12 @@ anchorrule	: ANCHOR anchorname dir quick interface af proto fromto
 				}
 			}
 
+			if ($9.marker & FOM_ONCE) {
+				yyerror("cannot specify 'once' "
+				    "on anchors");
+					YYERROR;
+			}
+
 			if (filteropts_to_rule(&r, &$9))
 				YYERROR;
 
@@ -2390,6 +2396,9 @@ pfrule		: action dir logquick interface route af proto fromto
 			r.quick = $3.quick;
 			r.af = $6;
 
+			if ($9.marker & FOM_ONCE)
+				r.rule_flag |= PFRULE_ONCE;
+
 			if (filteropts_to_rule(&r, &$9))
 				YYERROR;
 
@@ -3036,6 +3045,9 @@ filter_opt	: USER uids {
 			}
 			filter_opts.max_pkt_size = $2;
 		}
+		| ONCE {
+			filter_opts.marker |= FOM_ONCE;
+		}
 		| filter_sets
 		;
 
@@ -6725,6 +6737,7 @@ lookup(char *s)
 		{ "no-route",		NOROUTE},
 		{ "no-sync",		NOSYNC},
 		{ "on",			ON},
+		{ "once",		ONCE},
 		{ "optimization",	OPTIMIZATION},
 		{ "os",			OS},
 		{ "out",		OUT},
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index 9609e880584f..ce493570a25e 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1234,6 +1234,8 @@ print_rule(struct pfctl_rule *r, const char *anchor_call, int verbose, int numer
 		printf(" %s %d",
 		    r->free_flags & PFRULE_DN_IS_PIPE ? "dnpipe" : "dnqueue",
 		    r->dnpipe);
+	if (r->rule_flag & PFRULE_ONCE)
+		printf(" once");
 	if (r->qname[0] && r->pqname[0])
 		printf(" queue(%s, %s)", r->qname, r->pqname);
 	else if (r->qname[0])