The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=b7ff11b380bf6ffaa5181596766e2f21a1eec962
commit b7ff11b380bf6ffaa5181596766e2f21a1eec962
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-08-27 13:58:40 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-09-25 12:41:08 +0000
pf.conf.5: Document a "once" filter option used to create one shot rules.
ok henning, mcbride, jmc
Obtained from: OpenBSD, mikeb <mi...@openbsd.org>, 355f9a50c1
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
share/man/man5/pf.conf.5 | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 02114b3eaf3c..b87401f8bb34 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -27,7 +27,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd August 25, 2025
+.Dd August 27, 2025
.Dt PF.CONF 5
.Os
.Sh NAME
@@ -2258,6 +2258,10 @@ When the rate is exceeded, all ICMP is blocked until the
rate falls below
.It Ar max-pkt-size Aq Ar number
Limit each packet to be no more than the specified number of bytes.
This includes the IP header, but not any layer 2 header.
+.It Ar once
+Creates a one shot rule that will remove itself from an active ruleset after
+the first match.
+.Pp
.It Xo Ar queue Aq Ar queue
.No \*(Ba ( Aq Ar queue ,
.Aq Ar queue )
@@ -3443,7 +3447,7 @@ filteropt = user | group | flags | icmp-type |
icmp6-type | "tos" tos |
[ "(" state-opts ")" ] |
"fragment" | "no-df" | "min-ttl" number | "set-tos" tos |
"max-mss" number | "random-id" | "reassemble tcp" |
- fragmentation | "allow-opts" |
+ fragmentation | "allow-opts" | "once" |
"label" string | "tag" string | [ "!" ] "tagged" string |
"max-pkt-rate" number "/" seconds |
"set prio" ( number | "(" number [ [ "," ] number ] ")" ) |
