Hello,
mikeb@ and me were poking about same idea some time ago (?2016?). But the idea
never turned to diff. If I remember correct the only meaningful use case we
could come up with for once rules is [t]ftp-proxy. But neither one seems to use
once rules at all. I'm OK with removing 'once' rules. From my point of view it
adds too much complexity for little win.
I've found just one nit in your diff so far, see below.
thanks and
regards
sashan
</snip>
> Index: sys/net/pfvar.h
> ===================================================================
> RCS file: /cvs/src/sys/net/pfvar.h,v
> retrieving revision 1.493
> diff -u -p -u -p -r1.493 pfvar.h
> --- sys/net/pfvar.h 17 Nov 2019 08:25:05 -0000 1.493
> +++ sys/net/pfvar.h 24 Jan 2020 06:12:19 -0000
> @@ -596,10 +596,6 @@ struct pf_rule {
> u_int16_t port;
> u_int8_t type;
> } divert;
> -
> - SLIST_ENTRY(pf_rule) gcle;
> - struct pf_ruleset *ruleset;
> - time_t exptime;
> };
>
> /* rule flags */
> @@ -617,7 +613,6 @@ struct pf_rule {
> #define PFRULE_IFBOUND 0x00010000 /* if-bound */
> #define PFRULE_STATESLOPPY 0x00020000 /* sloppy state tracking */
> #define PFRULE_PFLOW 0x00040000
> -#define PFRULE_ONCE 0x00100000 /* one shot rule */
> #define PFRULE_AFTO 0x00200000 /* af-to rule */
> #define PFRULE_EXPIRED 0x00400000 /* one shot rule hit by
> pkt */
PFRULE_EXPIRED, can be also removed.
