The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=1ae17b65b676d0bfa291b193aa4b70ba6f993aaf
commit 1ae17b65b676d0bfa291b193aa4b70ba6f993aaf
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-07-07 07:12:36 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-07-12 09:57:51 +0000
pf.conf.5: should clearly state range match operator ':' does not work for
uid/gid.
OK @kn, OK @sthen
Obtained from: OpenBSD, sashan <sas...@openbsd.org>, 4521e23a38
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
share/man/man5/pf.conf.5 | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index fe848b030484..b5843d67e106 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -27,7 +27,7 @@
.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd July 2, 2025
+.Dd July 7, 2025
.Dt PF.CONF 5
.Os
.Sh NAME
@@ -2047,6 +2047,21 @@ connections:
block out proto { tcp, udp } all
pass out proto { tcp, udp } all user { < 1000, dhartmei }
.Ed
+.Pp
+The example below permits users with uid between 1000 and 1500
+to open connections:
+.Bd -literal -offset indent
+block out proto tcp all
+pass out proto tcp from self user { 999 >< 1501 }
+.Ed
+.Pp
+The
+.Sq \&:
+operator, which works for port number matching, does not work for
+.Cm user
+and
+.Cm group
+match.
.It Xo Ar flags Aq Ar a
.Pf / Ns Aq Ar b
.No \*(Ba / Ns Aq Ar b
