git: cc97633b4b7a - main - pfctl.8/pf.conf.5: Improve "once" bits

Thu, 25 Sep 2025 06:03:17 -0700 

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=cc97633b4b7a3b670d6223b1cd79a0d807dcebbd

commit cc97633b4b7a3b670d6223b1cd79a0d807dcebbd
Author:     Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-08-28 09:37:11 +0000
Commit:     Kristof Provost <k...@freebsd.org>
CommitDate: 2025-09-25 12:41:10 +0000

    pfctl.8/pf.conf.5: Improve "once" bits
    
    - use imperative tense in the pf.conf(5) "once" part
    - leave printing implementation details to pfctl(8)'s "-s rules" part
    - use more markup
    - debug mode also prints expired rules
    
    OK jmc sashan
    
    Obtained from:  OpenBSD, kn <k...@openbsd.org>, 1f1797aba7
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/pfctl.8       | 9 ++++++++-
 share/man/man5/pf.conf.5 | 9 ++++-----
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index f1a2bbef6236..58de54cdf923 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@@ -24,7 +24,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd August 25, 2025
+.Dd August 28, 2025
 .Dt PFCTL 8
 .Os
 .Sh NAME
@@ -463,6 +463,13 @@ When used together with
 .Fl v ,
 the per-rule statistics (number of evaluations,
 packets, and bytes) are also shown.
+When used together with
+.Fl g
+or
+.Fl vv ,
+expired rules
+.Pq marked as Dq # expired
+are also shown.
 Note that the
 .Dq skip step
 optimization done automatically by the kernel
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index cb7fea467c2e..da02f10aac01 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -2259,12 +2259,11 @@ When the rate is exceeded, all ICMP is blocked until 
the rate falls below
 Limit each packet to be no more than the specified number of bytes.
 This includes the IP header, but not any layer 2 header.
 .It Ar once
-Creates a one shot rule.
-The first matching packet marks the rule as expired;
-any expired rules are no longer evaluated.
-Expired rules are only shown in verbose mode (-vv):
+Create a one shot rule.
+The first matching packet marks the rule as expired.
+Expired rules are skipped and hidden, unless
 .Xr pfctl 8
-will append '# expired' to note any once rules which have already been hit.
+is used in debug or verbose mode.
 .Pp
 .It Xo Ar queue Aq Ar queue
 .No \*(Ba ( Aq Ar queue ,

Reply via email to