morning.
the latest changes to pfctl(8) made me see that -k is getting a little
out of hand. diff below reduces the size of the text to try and keep it
down a bit. it goes from about 2.5 screensful to 1.5. SYNOPSIS/usage
lose about a line.
my idea is to stop listing every possible combination like:
-k host | network | label | key | id
as shown in the recent commits, it's easy to lose track of all the
places you have to update when you add a new combination. so just:
-k key
i've also tried to better explain the double -k idea, and zapped some
fairly obvious examples.
here's the diff then.
jmc
Index: pfctl.8
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl.8,v
retrieving revision 1.168
diff -u -r1.168 pfctl.8
--- pfctl.8 21 Apr 2017 23:22:49 -0000 1.168
+++ pfctl.8 22 Apr 2017 07:04:38 -0000
@@ -39,8 +39,8 @@
.Op Fl F Ar modifier
.Op Fl f Ar file
.Op Fl i Ar interface
-.Op Fl K Ar host | network
-.Op Fl k Ar host | network | label | id
+.Op Fl K Ar key
+.Op Fl k Ar key
.Op Fl L Ar statefile
.Op Fl o Ar level
.Op Fl p Ar device
@@ -216,50 +216,22 @@
.It Fl i Ar interface
Restrict the operation to the given
.Ar interface .
-.It Fl K Ar host | network
-Kill all of the source tracking entries originating from the specified
-.Ar host
-or
-.Ar network .
+.It Fl K Ar key
+Kill all of the source tracking entries originating from the
+host or network specified by
+.Ar key .
A second
-.Fl K Ar host
-or
-.Fl K Ar network
-option may be specified, which will kill all the source tracking
-entries from the first host/network to the second.
-.It Xo
-.Fl k
-.Ar host | network | label | key | id
-.Xc
-Kill all of the state entries matching the specified
-.Ar host ,
-.Ar network ,
-.Ar label ,
-.Ar key ,
-or
-.Ar id .
-.Pp
-For example, to kill all of the state entries originating from
-.Dq host :
-.Pp
-.Dl # pfctl -k host
-.Pp
+.Fl K
+option may be specified, which will kill all the source tracking entries
+from the first host/network to the second.
+.It Fl k Ar key
+Kill all of the state entries originating from the
+host or network specified by
+.Ar key .
A second
-.Fl k Ar host
-or
-.Fl k Ar network
+.Fl k
option may be specified, which will kill all the state entries
from the first host/network to the second.
-To kill all of the state entries from
-.Dq host1
-to
-.Dq host2 :
-.Pp
-.Dl # pfctl -k host1 -k host2
-.Pp
-To kill all states originating from 192.168.1.0/24 to 172.16.0.0/16:
-.Pp
-.Dl # pfctl -k 192.168.1.0/24 -k 172.16.0.0/16
.Pp
A network prefix length of 0 can be used as a wildcard.
To kill all states with the target
@@ -267,33 +239,38 @@
.Pp
.Dl # pfctl -k 0.0.0.0/0 -k host2
.Pp
-It is also possible to kill states by rule label, state key or state ID.
+It is also possible to kill states by rule label, state key, or state ID.
In this mode the first
.Fl k
-argument is used to specify the type
-of the second argument.
-The following command would kill all states that have been created
-from rules carrying the label
+argument is used to specify the type;
+a second
+.Fl k
+gives the actual target.
+.Pp
+To kill states by rule label,
+use the
+.Cm label
+modifier.
+To kill all states created from rules carrying the label
.Dq foobar :
.Pp
.Dl # pfctl -k label -k foobar
.Pp
-To kill one specific state by its key
-(protocol, host1, port1, direction, host2 and port2 in the same format
-of pfctl -s state),
+To kill one specific state by its state key
+(as shown by pfctl -s state),
use the
-.Ar key
-modifier and as a second argument the state key.
-To kill a state whose protocol is TCP and originating from
-10.0.0.101:32123 to 10.0.0.1:80 use:
+.Cm key
+modifier.
+To kill a state originating from 10.0.0.101:32123 to 10.0.0.1:80,
+protocol TCP, use:
.Pp
.Dl # pfctl -k key -k 'tcp 10.0.0.1:80 <- 10.0.0.101:32123'
.Pp
To kill one specific state by its unique state ID
(as shown by pfctl -s state -vv),
use the
-.Ar id
-modifier and as a second argument the state ID and optional creator ID.
+.Cm id
+modifier.
To kill a state with ID 4823e84500000003 use:
.Pp
.Dl # pfctl -k id -k 4823e84500000003
Index: pfctl.c
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl.c,v
retrieving revision 1.340
diff -u -r1.340 pfctl.c
--- pfctl.c 21 Apr 2017 23:22:49 -0000 1.340
+++ pfctl.c 22 Apr 2017 07:04:38 -0000
@@ -239,13 +239,13 @@
extern char *__progname;
fprintf(stderr, "usage: %s [-deghnPqrvz] ", __progname);
- fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n");
- fprintf(stderr, "\t[-f file] [-i interface] [-K host | network]\n");
- fprintf(stderr, "\t[-k host | network | label | id] ");
- fprintf(stderr, "[-L statefile] [-o level] [-p device]\n");
- fprintf(stderr, "\t[-S statefile] [-s modifier [-R id]] ");
- fprintf(stderr, "[-t table -T command [address ...]]\n");
- fprintf(stderr, "\t[-V rdomain] [-x level]\n");
+ fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]");
+ fprintf(stderr, " [-f file]\n");
+ fprintf(stderr, "\t[-i interface] [-K key] [-k key] [-L statefile]");
+ fprintf(stderr, " [-o level]\n");
+ fprintf(stderr, "\t[-p device] [-S statefile] [-s modifier [-R id]]\n");
+ fprintf(stderr, "\t[-t table -T command [address ...]]");
+ fprintf(stderr, " [-V rdomain] [-x level]\n");
exit(1);
}
