On Mon, May 15, 2017 at 07:42:46PM +0200, Michal Mazurek wrote:
> - mention the inversion operator for "some parameters"
> - mention the inversion operator for "received-on" to match "tagged"
> - don't wrap a short line
> - use spaces, not tabs inside a literal block
> - quote the inversion operator when describing BNF syntax (easy to miss):
> - "label" string | "tag" string | [ ! ] "tagged" string |
> + "label" string | "tag" string | [ "!" ] "tagged" string |
>
>
morning.
i think there are really two diffs here. one, formatting for BNF, is
really hard to read so i want to put that to the side till we address
the other, the "!" operator.
i would prefer to just say upfront that some things can take "!", show
them in the summary line, but not repeat all the "may be inversed"
text. i think the idea of "!" is sufficiently clear that we can get away
with that.
so my suggestion below. after we sort that, we can see whether there are
further formatting changes to make.
jmc
Index: pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.560
diff -u -r1.560 pf.conf.5
--- pf.conf.5 16 May 2017 22:29:02 -0000 1.560
+++ pf.conf.5 17 May 2017 06:33:39 -0000
@@ -128,6 +128,9 @@
Most parameters are optional.
If a parameter is specified, the rule only applies to packets with
matching attributes.
+The matching for some parameters can be inverted with the
+.Cm !\&
+operator.
Certain parameters can be expressed as lists, in which case
.Xr pfctl 8
generates all needed rule combinations.
@@ -638,7 +641,7 @@
.It Cm prio Ar number
Only match packets which have the given queueing priority assigned.
.Pp
-.It Cm received-on Ar interface
+.It Oo Cm \&! Oc Ns Cm received-on Ar interface
Only match packets which were received on the specified
.Cm interface
(or interface group).
@@ -733,12 +736,6 @@
be tagged with the given
.Ar string
in order to match the rule.
-Inverse tag matching can also be done
-by specifying the
-.Cm !\&
-operator before the
-.Cm tagged
-keyword.
.Pp
.It Cm tos Ar string | number
This rule applies to packets with the specified TOS bits set.
@@ -2689,7 +2686,7 @@
"fragment" | "allow-opts" | "once" |
"divert-packet" "port" port | "divert-reply" |
"divert-to" host "port" port |
- "label" string | "tag" string | [ ! ] "tagged" string |
+ "label" string | "tag" string | [ "!" ] "tagged" string |
"set prio" ( number | "(" number [ [ "," ] number ] ")" ) |
"set queue" ( string | "(" string [ [ "," ] string ] ")" ) |
"rtable" number | "probability" number"%" | "prio" number |
> Index: share/man/man5/pf.conf.5
> ===================================================================
> RCS file: /cvs/src/share/man/man5/pf.conf.5,v
> retrieving revision 1.558
> diff -u -p -r1.558 pf.conf.5
> --- share/man/man5/pf.conf.5 15 May 2017 11:24:37 -0000 1.558
> +++ share/man/man5/pf.conf.5 15 May 2017 17:30:30 -0000
> @@ -131,6 +131,9 @@ matching attributes.
> Certain parameters can be expressed as lists, in which case
> .Xr pfctl 8
> generates all needed rule combinations.
> +It's also possible to invert some parameters by specifying the
> +.Cm !\&
> +operator.
> .Pp
> By default
> .Xr pf 4
> @@ -638,12 +641,17 @@ For example, the following rule will dro
> .It Cm prio Ar number
> Only match packets which have the given queueing priority assigned.
> .Pp
> -.It Cm received-on Ar interface
> +.It Oo Cm \&! Oc Ns Cm received-on Ar interface
> Only match packets which were received on the specified
> .Cm interface
> (or interface group).
> .Cm any
> will match any existing interface except loopback ones.
> +Inverse interface matching can also be done by specifying the
> +.Cm !\&
> +operator before the
> +.Cm received-on
> +keyword.
> .Pp
> .It Cm rtable Ar number
> Used to select an alternate routing table for the routing lookup.
> @@ -733,8 +741,7 @@ to specify that packets must already
> be tagged with the given
> .Ar string
> in order to match the rule.
> -Inverse tag matching can also be done
> -by specifying the
> +Inverse tag matching can also be done by specifying the
> .Cm !\&
> operator before the
> .Cm tagged
> @@ -2690,22 +2697,22 @@ filteropt = user | group | flags |
> ( "no" | "keep" | "modulate" | "synproxy" ) "state"
> [ "(" state-opts ")" ] | "scrub" "(" scrubopts ")" |
> "fragment" | "allow-opts" | "once" |
> - "divert-packet" "port" port | "divert-reply" |
> - "divert-to" host "port" port |
> - "label" string | "tag" string | [ ! ] "tagged" string |
> + "divert-packet" "port" port | "divert-reply" |
> + "divert-to" host "port" port |
> + "label" string | "tag" string | [ "!" ] "tagged" string |
> "set prio" ( number | "(" number [ [ "," ] number ] ")" ) |
> "set queue" ( string | "(" string [ [ "," ] string ] ")" ) |
> "rtable" number | "probability" number"%" | "prio" number |
> - "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
> - [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
> - "binat-to" ( redirhost | "{" redirhost-list "}" )
> - [ portspec ] [ pooltype ] |
> - "rdr-to" ( redirhost | "{" redirhost-list "}" )
> - [ portspec ] [ pooltype ] |
> - "nat-to" ( redirhost | "{" redirhost-list "}" )
> - [ portspec ] [ pooltype ] [ "static-port" ] |
> - [ route ] | [ "set tos" tos ] |
> - [ [ "!" ] "received-on" ( interface-name | interface-group ) ]
> + "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
> + [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
> + "binat-to" ( redirhost | "{" redirhost-list "}" )
> + [ portspec ] [ pooltype ] |
> + "rdr-to" ( redirhost | "{" redirhost-list "}" )
> + [ portspec ] [ pooltype ] |
> + "nat-to" ( redirhost | "{" redirhost-list "}" )
> + [ portspec ] [ pooltype ] [ "static-port" ] |
> + [ route ] | [ "set tos" tos ] |
> + [ [ "!" ] "received-on" ( interface-name | interface-group
> ) ]
>
> scrubopts = scrubopt [ [ "," ] scrubopts ]
> scrubopt = "no-df" | "min-ttl" number | "max-mss" number |
>
> --
> Michal Mazurek
>
