From 1f1797aba74e314b5d73adac7c0ac26788415e56 Mon Sep 17 00:00:00 2001 From: kn Date: Fri, 18 Nov 2022 18:11:10 +0000 Subject: [PATCH] Improve "once" bits - use imperative tense in the pf.conf(5) "once" part - leave printing implementation details to pfctl(8)'s "-s rules" part - use more markup - debug mode also prints expired rules OK jmc sashan --- sbin/pfctl/pfctl.8 | 11 +++++++++-- share/man/man5/pf.conf.5 | 13 ++++++------- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index 19cf63fe4b1..3f152f4c0dc 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfctl.8,v 1.182 2022/11/14 09:56:09 jmc Exp $ +.\" $OpenBSD: pfctl.8,v 1.183 2022/11/18 18:11:10 kn Exp $ .\" .\" Copyright (c) 2001 Kjell Wooding. All rights reserved. .\" @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 14 2022 $ +.Dd $Mdocdate: November 18 2022 $ .Dt PFCTL 8 .Os .Sh NAME @@ -374,6 +374,13 @@ When used together with .Fl v , the per-rule statistics (number of evaluations, packets and bytes) are also shown. +When used together with +.Fl g +or +.Fl vv , +expired rules +.Pq marked as Dq # expired +are also shown. Note that the .Dq skip step optimization done automatically by the kernel diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 157db72588f..1115b51bcfd 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.599 2022/11/10 19:07:21 jmc Exp $ +.\" $OpenBSD: pf.conf.5,v 1.600 2022/11/18 18:11:10 kn Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" Copyright (c) 2003 - 2013 Henning Brauer @@ -28,7 +28,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 10 2022 $ +.Dd $Mdocdate: November 18 2022 $ .Dt PF.CONF 5 .Os .Sh NAME @@ -661,12 +661,11 @@ When the rate is exceeded, all ICMP is blocked until the rate falls below 100 per 10 seconds again. .Pp .It Cm once -Creates a one shot rule. -The first matching packet marks the rule as expired; -any expired rules are no longer evaluated. -Expired rules are only shown in verbose mode (-vv): +Create a one shot rule. +The first matching packet marks the rule as expired. +Expired rules are skipped and hidden, unless .Xr pfctl 8 -will append '# expired' to note any once rules which have already been hit. +is used in debug or verbose mode. .Pp .It Cm probability Ar number Ns % A probability attribute can be attached to a rule, -- 2.20.1