Hello, > > (2Theo: yes, I'm lazy, sorry :) ) > > I agree, that "X:Y" syntax for "user" could be confusing, and "X><Y" is > simply ugly. I do not have a silver bullet here, though. > > If you oppose the proposed change, I'll add "... except 'uid1:uid2' syntax, > which could be mistakenly interpreted as 'uid:gid'" to pf.conf(5). Will be > that okay?
I think that's where we are heading after reading email from sthen@ Let's focus on to update pf.conf.5 manpage. Would diff below make pf.conf.5 manpage more useful? thanks and regards sashan --------8<---------------8<---------------8<------------------8<-------- diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 452a15d1cfd..42c3c3466da 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -820,6 +820,22 @@ connections: block out proto tcp all pass out proto tcp from self user { < 1000, dhartmei } .Ed +.Pp +The example below specifies a range of users to open outgoing +connections: +.Bd -literal -offset indent +block out proto tcp all +pass out proto tcp from self user { 1000 >< 1500 } +.Ed +.Pp +Note the range above excludes 1000 and 1500 uids from list +of uids, which match the pass rule. The +.Cm : +operator, which works for port number matching, does not work for +.Cm user +and +.Cm group +match. .El .Ss Translation Translation options modify either the source or destination address and