- mention the inversion operator for "some parameters"
- mention the inversion operator for "received-on" to match "tagged"
- don't wrap a short line
- use spaces, not tabs inside a literal block
- quote the inversion operator when describing BNF syntax (easy to miss):
- "label" string | "tag" string | [ ! ] "tagged" string |
+ "label" string | "tag" string | [ "!" ] "tagged" string |
Index: share/man/man5/pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.558
diff -u -p -r1.558 pf.conf.5
--- share/man/man5/pf.conf.5 15 May 2017 11:24:37 -0000 1.558
+++ share/man/man5/pf.conf.5 15 May 2017 17:30:30 -0000
@@ -131,6 +131,9 @@ matching attributes.
Certain parameters can be expressed as lists, in which case
.Xr pfctl 8
generates all needed rule combinations.
+It's also possible to invert some parameters by specifying the
+.Cm !\&
+operator.
.Pp
By default
.Xr pf 4
@@ -638,12 +641,17 @@ For example, the following rule will dro
.It Cm prio Ar number
Only match packets which have the given queueing priority assigned.
.Pp
-.It Cm received-on Ar interface
+.It Oo Cm \&! Oc Ns Cm received-on Ar interface
Only match packets which were received on the specified
.Cm interface
(or interface group).
.Cm any
will match any existing interface except loopback ones.
+Inverse interface matching can also be done by specifying the
+.Cm !\&
+operator before the
+.Cm received-on
+keyword.
.Pp
.It Cm rtable Ar number
Used to select an alternate routing table for the routing lookup.
@@ -733,8 +741,7 @@ to specify that packets must already
be tagged with the given
.Ar string
in order to match the rule.
-Inverse tag matching can also be done
-by specifying the
+Inverse tag matching can also be done by specifying the
.Cm !\&
operator before the
.Cm tagged
@@ -2690,22 +2697,22 @@ filteropt = user | group | flags |
( "no" | "keep" | "modulate" | "synproxy" ) "state"
[ "(" state-opts ")" ] | "scrub" "(" scrubopts ")" |
"fragment" | "allow-opts" | "once" |
- "divert-packet" "port" port | "divert-reply" |
- "divert-to" host "port" port |
- "label" string | "tag" string | [ ! ] "tagged" string |
+ "divert-packet" "port" port | "divert-reply" |
+ "divert-to" host "port" port |
+ "label" string | "tag" string | [ "!" ] "tagged" string |
"set prio" ( number | "(" number [ [ "," ] number ] ")" ) |
"set queue" ( string | "(" string [ [ "," ] string ] ")" ) |
"rtable" number | "probability" number"%" | "prio" number |
- "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
- [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
- "binat-to" ( redirhost | "{" redirhost-list "}" )
- [ portspec ] [ pooltype ] |
- "rdr-to" ( redirhost | "{" redirhost-list "}" )
- [ portspec ] [ pooltype ] |
- "nat-to" ( redirhost | "{" redirhost-list "}" )
- [ portspec ] [ pooltype ] [ "static-port" ] |
- [ route ] | [ "set tos" tos ] |
- [ [ "!" ] "received-on" ( interface-name | interface-group ) ]
+ "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
+ [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
+ "binat-to" ( redirhost | "{" redirhost-list "}" )
+ [ portspec ] [ pooltype ] |
+ "rdr-to" ( redirhost | "{" redirhost-list "}" )
+ [ portspec ] [ pooltype ] |
+ "nat-to" ( redirhost | "{" redirhost-list "}" )
+ [ portspec ] [ pooltype ] [ "static-port" ] |
+ [ route ] | [ "set tos" tos ] |
+ [ [ "!" ] "received-on" ( interface-name | interface-group ) ]
scrubopts = scrubopt [ [ "," ] scrubopts ]
scrubopt = "no-df" | "min-ttl" number | "max-mss" number |
--
Michal Mazurek
