On Thu, Jan 16, 2020 at 03:29:16PM +0100, Alexandr Nedvedicky wrote:
> I think that's where we are heading after reading email from sthen@
>
> Let's focus on to update pf.conf.5 manpage. Would diff below make
> pf.conf.5
> manpage more useful?
I think this is the right way; adding the inclusive range for users
adds too much complexity for no real gain.
Nits inline,
OK kn
> diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
> index 452a15d1cfd..42c3c3466da 100644
> --- a/share/man/man5/pf.conf.5
> +++ b/share/man/man5/pf.conf.5
> @@ -820,6 +820,22 @@ connections:
> block out proto tcp all
> pass out proto tcp from self user { < 1000, dhartmei }
> .Ed
> +.Pp
> +The example below specifies a range of users to open outgoing
> +connections:
> +.Bd -literal -offset indent
> +block out proto tcp all
> +pass out proto tcp from self user { 1000 >< 1500 }
> +.Ed
> +.Pp
> +Note the range above excludes 1000 and 1500 uids from list
> +of uids, which match the pass rule. The
New sentences on its own line. I'd say
Note that users 1000 and 1500 are excluded from the pass rule.
This avoids repeating "uids" and "uid list", and since we can also do
"root >< kn" the wording "user" goes in line with the keyword (only
numerical values are UIDs, technically).
> +.Cm :
The port paragraph marks up those operators with Sq (single quotes),
we should be consistent here. Cm for user and group is correct, though.
> +operator, which works for port number matching, does not work for
> +.Cm user
> +and
> +.Cm group
> +match.
> .El
> .Ss Translation
> Translation options modify either the source or destination address and
