Finally implement what's stated in the man page regarding parent

anchors for "once" rules: "In case this is the only rule in the
anchor, the anchor will be destroyed automatically after the rule
is matched."  Employ an additional pointer pair to keep track of
the parent ruleset containing the anchor that we want to remove.

OK henning

1 files changed, 14 insertions, 4 deletions

diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index a4dba038b8d..eaf17584c6d 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_ioctl.c,v 1.275 2014/08/12 14:38:28 mikeb Exp $ */
+/*	$OpenBSD: pf_ioctl.c,v 1.276 2014/08/12 15:29:33 mikeb Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -307,9 +307,10 @@ pf_rm_rule(struct pf_rulequeue *rulequeue, struct pf_rule *rule)
 }
 
 void
-pf_purge_rule(struct pf_ruleset *ruleset, struct pf_rule *rule)
+pf_purge_rule(struct pf_ruleset *ruleset, struct pf_rule *rule,
+    struct pf_ruleset *aruleset, struct pf_rule *arule)
 {
-	u_int32_t	 nr = 0;
+	u_int32_t		 nr = 0;
 
 	KASSERT(ruleset != NULL && rule != NULL);
 
@@ -319,7 +320,16 @@ pf_purge_rule(struct pf_ruleset *ruleset, struct pf_rule *rule)
 		rule->nr = nr++;
 	ruleset->rules.active.ticket++;
 	pf_calc_skip_steps(ruleset->rules.active.ptr);
-	pf_remove_if_empty_ruleset(ruleset);
+
+	/* remove the parent anchor rule */
+	if (nr == 0 && arule && aruleset) {
+		pf_rm_rule(aruleset->rules.active.ptr, arule);
+		aruleset->rules.active.rcount--;
+		TAILQ_FOREACH(rule, aruleset->rules.active.ptr, entries)
+			rule->nr = nr++;
+		aruleset->rules.active.ticket++;
+		pf_calc_skip_steps(aruleset->rules.active.ptr);
+	}
 }
 
 u_int16_t