1 files changed, 37 insertions, 11 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index bdd8a843d72a..c22d983d33e8 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -27,7 +27,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd July 30, 2025
+.Dd November 3, 2025
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -92,14 +92,20 @@ keyword, for example:
 include "/etc/pf/sub.filter.conf"
 .Ed
 .Sh MACROS
-Macros can be defined that will later be expanded in context.
-Macro names must start with a letter, and may contain letters, digits
-and underscores.
-Macro names may not be reserved words (for example
+A macro is defined with a command of the form
+.Ar name Ns = Ns Ar value .
+The macro
+.Ar name
+can contain letters, digits, and underscores and cannot be a reserved word
+(for example,
 .Ar pass ,
 .Ar in ,
+or
 .Ar out ) .
-Macros are not expanded inside quotes.
+Within unquoted arguments, the string
+.Pf $ Ar name
+is later expanded to
+.Ar value .
 Ranges of network addresses used in macros that will be expanded in lists
 later on must be quoted with additional simple quotes.
 .Pp
@@ -267,6 +273,10 @@ which corresponds to the connection state.
 Each packet which matches this state will reset the TTL.
 Tuning these values may improve the performance of the
 firewall at the risk of dropping valid idle connections.
+Alternatively, these values may be adjusted collectively
+in a manner suitable for a specific environment using
+.Cm set optimization
+(see above).
 .Pp
 .Bl -tag -width xxxx -compact
 .It Ar tcp.first
@@ -274,6 +284,9 @@ The state after the first packet.
 .It Ar tcp.opening
 The state after the second packet but before both endpoints have
 acknowledged the connection.
+.It Ar tcp.tsdiff
+Maximum allowed time difference between RFC 1323 compliant packet timestamps.
+30 seconds by default.
 .It Ar tcp.established
 The fully established state.
 .It Ar tcp.closing
@@ -1477,7 +1490,7 @@ options and both implicitly and explicitly in the case of
 ones.
 A
 .Ar rdr-to
-opion may cause the source port to be modified if doing so avoids a conflict
+option may cause the source port to be modified if doing so avoids a conflict
 with an existing connection.
 A random source port in the range 50001-65535 is chosen in this case.
 Port numbers are never translated with a
@@ -2245,6 +2258,13 @@ When the rate is exceeded, all ICMP is blocked until the rate falls below
 .It Ar max-pkt-size Aq Ar number
 Limit each packet to be no more than the specified number of bytes.
 This includes the IP header, but not any layer 2 header.
+.It Ar once
+Create a one shot rule.
+The first matching packet marks the rule as expired.
+Expired rules are skipped and hidden, unless
+.Xr pfctl 8
+is used in debug or verbose mode.
+.Pp
 .It Xo Ar queue Aq Ar queue
 .No \*(Ba ( Aq Ar queue ,
 .Aq Ar queue )
@@ -2357,7 +2377,7 @@ packets matching the same connection.
 .It Ar route-to
 The
 .Ar route-to
-option routes the packet to the specified interface with an optional address
+option routes the packet to the specified interface with an address
 for the next hop.
 When a
 .Ar route-to
@@ -3430,7 +3450,7 @@ filteropt      = user | group | flags | icmp-type | icmp6-type | "tos" tos |
                  [ "(" state-opts ")" ] |
                  "fragment" | "no-df" | "min-ttl" number | "set-tos" tos |
                  "max-mss" number | "random-id" | "reassemble tcp" |
-                 fragmentation | "allow-opts" |
+                 fragmentation | "allow-opts" | "once" |
                  "label" string | "tag" string | [ "!" ] "tagged" string |
                  "max-pkt-rate" number "/" seconds |
                  "set prio" ( number | "(" number [ [ "," ] number ] ")" ) |
@@ -3440,6 +3460,12 @@ filteropt      = user | group | flags | icmp-type | icmp6-type | "tos" tos |
                  "dnpipe" ( number | "(" number "," number ")" ) |
                  "dnqueue" ( number | "(" number "," number ")" ) |
                  "ridentifier" number |
+                 "binat-to" ( redirhost | "{" redirhost-list "}" )
+                 [ portspec ] [ pooltype ] |
+                 "rdr-to" ( redirhost | "{" redirhost-list "}" )
+                 [ portspec ] [ pooltype ] |
+                 "nat-to" ( redirhost | "{" redirhost-list "}" )
+                 [ portspec ] [ pooltype ] [ "static-port" ] |
                  [ ! ] "received-on" ( interface-name | interface-group )
 
 nat-rule       = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
@@ -3532,7 +3558,7 @@ hosts          = "all" |
 ipspec         = "any" | host | "{" host-list "}"
 host           = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" )
 redirhost      = address [ "/" mask-bits ]
-routehost      = "(" interface-name [ address [ "/" mask-bits ] ] ")"
+routehost      = "(" interface-name address [ "/" mask-bits ] ")"
 address        = ( interface-name | interface-group |
                  "(" ( interface-name | interface-group ) ")" |
                  hostname | ipv4-dotted-quad | ipv6-coloned-hex )
@@ -3580,7 +3606,7 @@ fragmentation  = [ "fragment reassemble" ]
 
 timeout-list   = timeout [ [ "," ] timeout-list ]
 timeout        = ( "tcp.first" | "tcp.opening" | "tcp.established" |
-                 "tcp.closing" | "tcp.finwait" | "tcp.closed" |
+                 "tcp.closing" | "tcp.finwait" | "tcp.closed" | "tcp.tsdiff" |
                  "sctp.first" | "sctp.opening" | "sctp.established" |
                  "sctp.closing" | "sctp.closed" |
                  "udp.first" | "udp.single" | "udp.multiple" |