This diff ensures that PF one shot rules can only be used inside anchors and not in the main ruleset.
OK? Index: sbin/pfctl/parse.y =================================================================== RCS file: /cvs/src/sbin/pfctl/parse.y,v retrieving revision 1.624 diff -u -p -u -p -r1.624 parse.y --- sbin/pfctl/parse.y 1 Aug 2013 19:03:11 -0000 1.624 +++ sbin/pfctl/parse.y 20 Aug 2013 01:54:10 -0000 @@ -1703,8 +1703,14 @@ pfrule : action dir logquick interface r.set_prio[1] = $8.set_prio[1]; r.scrub_flags |= PFSTATE_SETPRIO; } - if ($8.marker & FOM_ONCE) + if ($8.marker & FOM_ONCE) { + if (pf->asd == 0) { + yyerror("'once' can only be used " + "inside anchors\n"); + YYERROR; + } r.rule_flag |= PFRULE_ONCE; + } if ($8.marker & FOM_AFTO) r.rule_flag |= PFRULE_AFTO; r.af = $5; Index: share/man/man5/pf.conf.5 =================================================================== RCS file: /cvs/src/share/man/man5/pf.conf.5,v retrieving revision 1.527 diff -u -p -u -p -r1.527 pf.conf.5 --- share/man/man5/pf.conf.5 25 Apr 2013 16:53:11 -0000 1.527 +++ share/man/man5/pf.conf.5 18 Aug 2013 19:13:23 -0000 @@ -611,6 +611,7 @@ directive occurs only at configuration f .It Ar once Creates a one shot rule that will remove itself from an active ruleset after the first match. +This parameter can only be used in an anchor. In case this is the only rule in the anchor, the anchor will be destroyed automatically after the rule is matched. .Pp