Improve "once" bits

- use imperative tense in the pf.conf(5) "once" part
- leave printing implementation details to pfctl(8)'s "-s rules" part
- use more markup
- debug mode also prints expired rules

OK jmc sashan

1 files changed, 6 insertions, 7 deletions

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 157db72588f..1115b51bcfd 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.599 2022/11/10 19:07:21 jmc Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.600 2022/11/18 18:11:10 kn Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" Copyright (c) 2003 - 2013 Henning Brauer <henning@openbsd.org>
@@ -28,7 +28,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 10 2022 $
+.Dd $Mdocdate: November 18 2022 $
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -661,12 +661,11 @@ When the rate is exceeded, all ICMP is blocked until the rate falls below
 100 per 10 seconds again.
 .Pp
 .It Cm once
-Creates a one shot rule.
-The first matching packet marks the rule as expired;
-any expired rules are no longer evaluated.
-Expired rules are only shown in verbose mode (-vv):
+Create a one shot rule.
+The first matching packet marks the rule as expired.
+Expired rules are skipped and hidden, unless
 .Xr pfctl 8
-will append '# expired' to note any once rules which have already been hit.
+is used in debug or verbose mode.
 .Pp
 .It Cm probability Ar number Ns %
 A probability attribute can be attached to a rule,