Document a "once" filter option used to create one shot rules.

ok henning, mcbride, jmc

1 files changed, 9 insertions, 3 deletions

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index faaa38114b1..a1765f59e23 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.507 2011/08/18 10:49:40 henning Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.508 2011/08/30 00:47:16 mikeb Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 18 2011 $
+.Dd $Mdocdate: August 30 2011 $
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -600,6 +600,12 @@ The macro expansion for the
 .Ar label
 directive occurs only at configuration file parse time, not during runtime.
 .Pp
+.It Ar once
+Creates a one shot rule that will remove itself from an active ruleset after
+the first match.
+In case this is the only rule in the anchor, the anchor will be destroyed
+automatically after the rule is matched.
+.Pp
 .It Ar probability Aq Ar number
 A probability attribute can be attached to a rule,
 with a value set between 0 and 100%,
@@ -2701,7 +2707,7 @@ filteropt      = user | group | flags | icmp-type | icmp6-type |
                  "tos" tos |
                  ( "no" | "keep" | "modulate" | "synproxy" ) "state"
                  [ "(" state-opts ")" ] | "scrub" "(" scrubopts ")" |
-                 "fragment" | "allow-opts" |
+                 "fragment" | "allow-opts" | "once" |
 		 "divert-packet" "port" port | "divert-reply" |
 		 "divert-to" host "port" port |
                  "label" string | "tag" string | [ ! ] "tagged" string |