git: b7ff11b380bf - main - pf.conf.5: Document a "once" filter option used to create one shot rules.

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Thu, 25 Sep 2025 12:41:36 UTC

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=b7ff11b380bf6ffaa5181596766e2f21a1eec962

commit b7ff11b380bf6ffaa5181596766e2f21a1eec962
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-08-27 13:58:40 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-09-25 12:41:08 +0000

    pf.conf.5: Document a "once" filter option used to create one shot rules.
    
    ok henning, mcbride, jmc
    
    Obtained from:  OpenBSD, mikeb <mikeb@openbsd.org>, 355f9a50c1
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 share/man/man5/pf.conf.5 | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 02114b3eaf3c..b87401f8bb34 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -27,7 +27,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd August 25, 2025
+.Dd August 27, 2025
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -2258,6 +2258,10 @@ When the rate is exceeded, all ICMP is blocked until the rate falls below
 .It Ar max-pkt-size Aq Ar number
 Limit each packet to be no more than the specified number of bytes.
 This includes the IP header, but not any layer 2 header.
+.It Ar once
+Creates a one shot rule that will remove itself from an active ruleset after
+the first match.
+.Pp
 .It Xo Ar queue Aq Ar queue
 .No \*(Ba ( Aq Ar queue ,
 .Aq Ar queue )
@@ -3443,7 +3447,7 @@ filteropt      = user | group | flags | icmp-type | icmp6-type | "tos" tos |
                  [ "(" state-opts ")" ] |
                  "fragment" | "no-df" | "min-ttl" number | "set-tos" tos |
                  "max-mss" number | "random-id" | "reassemble tcp" |
-                 fragmentation | "allow-opts" |
+                 fragmentation | "allow-opts" | "once" |
                  "label" string | "tag" string | [ "!" ] "tagged" string |
                  "max-pkt-rate" number "/" seconds |
                  "set prio" ( number | "(" number [ [ "," ] number ] ")" ) |