pf: simplify expiration of 'once' rules.

let packet to mark 'once' rule as expired. The rule
will be removed by pfctl(8) when rules are updated.

OK kn@

Obtained from:	OpenBSD, sashan <sashan@openbsd.org>, a21b78cad0
Obtained from:	OpenBSD, jmc <jmc@openbsd.org>, 588f4160c8
Sponsored by:	Rubicon Communications, LLC ("Netgate")

2 files changed, 10 insertions, 3 deletions

diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index 54d3e7c8dc79..edbc924341e0 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1291,6 +1291,9 @@ print_rule(struct pfctl_rule *r, const char *anchor_call, int verbose, int numer
 			    r->rdr.proxy_port[1], PF_RDR);
 		}
 	}
+
+	if (r->rule_flag & PFRULE_EXPIRED)
+		printf(" # expired");
 }
 
 void
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index b87401f8bb34..cb7fea467c2e 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -27,7 +27,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd August 27, 2025
+.Dd August 28, 2025
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -2259,8 +2259,12 @@ When the rate is exceeded, all ICMP is blocked until the rate falls below
 Limit each packet to be no more than the specified number of bytes.
 This includes the IP header, but not any layer 2 header.
 .It Ar once
-Creates a one shot rule that will remove itself from an active ruleset after
-the first match.
+Creates a one shot rule.
+The first matching packet marks the rule as expired;
+any expired rules are no longer evaluated.
+Expired rules are only shown in verbose mode (-vv):
+.Xr pfctl 8
+will append '# expired' to note any once rules which have already been hit.
 .Pp
 .It Xo Ar queue Aq Ar queue
 .No \*(Ba ( Aq Ar queue ,