Hello,
>
> (2Theo: yes, I'm lazy, sorry :) )
>
> I agree, that "X:Y" syntax for "user" could be confusing, and "X><Y" is
> simply ugly. I do not have a silver bullet here, though.
>
> If you oppose the proposed change, I'll add "... except 'uid1:uid2' syntax,
> which could be mistakenly interpreted as 'uid:gid'" to pf.conf(5). Will be
> that okay?
I think that's where we are heading after reading email from sthen@
Let's focus on to update pf.conf.5 manpage. Would diff below make pf.conf.5
manpage more useful?
thanks and
regards
sashan
--------8<---------------8<---------------8<------------------8<--------
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 452a15d1cfd..42c3c3466da 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -820,6 +820,22 @@ connections:
block out proto tcp all
pass out proto tcp from self user { < 1000, dhartmei }
.Ed
+.Pp
+The example below specifies a range of users to open outgoing
+connections:
+.Bd -literal -offset indent
+block out proto tcp all
+pass out proto tcp from self user { 1000 >< 1500 }
+.Ed
+.Pp
+Note the range above excludes 1000 and 1500 uids from list
+of uids, which match the pass rule. The
+.Cm :
+operator, which works for port number matching, does not work for
+.Cm user
+and
+.Cm group
+match.
.El
.Ss Translation
Translation options modify either the source or destination address and
