The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=83f9b68fde27a0e136f447ca03ba3953f5730503
commit 83f9b68fde27a0e136f447ca03ba3953f5730503
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-02-14 14:50:43 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-02-21 08:11:03 +0000
pf.conf.5: Don't use greater-equal/less-equal symbols where "<="/">=" are
intended.
Also, clean up some usage of predefined strings (which are discouraged by
mandoc_char(7) for portability reasons) and improve spacing in
hostapd.conf(5).
ok schwarze@
Obtained from: OpenBSD, bentley <bent...@openbsd.org>, e369c2e695
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
share/man/man5/pf.conf.5 | 98 ++++++++++++++++++++++++------------------------
1 file changed, 49 insertions(+), 49 deletions(-)
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index e96ba094be27..478ce7b956f9 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -195,9 +195,9 @@ Note that this feature carries significant memory overhead
for large tables.
.Pp
For example,
.Bd -literal -offset indent
-table \*(Ltprivate\*(Gt const { 10/8, 172.16/12, 192.168/16 }
-table \*(Ltbadhosts\*(Gt persist
-block on fxp0 from { \*(Ltprivate\*(Gt, \*(Ltbadhosts\*(Gt } to any
+table <private> const { 10/8, 172.16/12, 192.168/16 }
+table <badhosts> persist
+block on fxp0 from { <private>, <badhosts> } to any
.Ed
.Pp
creates a table called private, to hold RFC 1918 private network
@@ -215,8 +215,8 @@ these hosts can be blocked by using
A table can also be initialized with an address list specified in one or more
external files, using the following syntax:
.Bd -literal -offset indent
-table \*(Ltspam\*(Gt persist file \&"/etc/spammers\&" file
\&"/etc/openrelays\&"
-block on fxp0 from \*(Ltspam\*(Gt to any
+table <spam> persist file \&"/etc/spammers\&" file \&"/etc/openrelays\&"
+block on fxp0 from <spam> to any
.Ed
.Pp
The files
@@ -1440,9 +1440,9 @@ The packet is redirected to another destination and
possibly a
different port.
.Ar rdr
rules can optionally specify port ranges instead of single ports.
-rdr ... port 2000:2999 -\*(Gt ... port 4000
+rdr ... port 2000:2999 -> ... port 4000
redirects ports 2000 to 2999 (inclusive) to port 4000.
-rdr ... port 2000:2999 -\*(Gt ... port 4000:*
+rdr ... port 2000:2999 -> ... port 4000:*
redirects port 2000 to 4000, 2001 to 4001, ..., 2999 to 4999.
.El
.Pp
@@ -1505,7 +1505,7 @@ or to the firewall itself.
Note that redirecting external incoming connections to the loopback
address, as in
.Bd -literal -offset indent
-rdr on ne3 inet proto tcp to port smtp -\*(Gt 127.0.0.1 port spamd
+rdr on ne3 inet proto tcp to port smtp -> 127.0.0.1 port spamd
.Ed
.Pp
will effectively allow an external host to connect to daemons
@@ -1875,17 +1875,17 @@ Ports and ranges of ports are specified by using these
operators:
.Bd -literal -offset indent
= (equal)
!= (unequal)
-\*(Lt (less than)
+< (less than)
<= (less than or equal)
-\*(Gt (greater than)
+> (greater than)
>= (greater than or equal)
: (range including boundaries)
-\*(Gt\*(Lt (range excluding boundaries)
-\*(Lt\*(Gt (except range)
+>< (range excluding boundaries)
+<> (except range)
.Ed
.Pp
-.Sq \*(Gt\*(Lt ,
-.Sq \*(Lt\*(Gt
+.Sq >< ,
+.Sq <>
and
.Sq \&:
are binary operators (they take two arguments).
@@ -1893,15 +1893,15 @@ For instance:
.Bl -tag -width Fl
.It Ar port 2000:2004
means
-.Sq all ports \*(Ge 2000 and \*(Le 2004 ,
+.Sq all ports >= 2000 and <= 2004 ,
hence ports 2000, 2001, 2002, 2003 and 2004.
-.It Ar port 2000 \*(Gt\*(Lt 2004
+.It Ar port 2000 >< 2004
means
-.Sq all ports \*(Gt 2000 and \*(Lt 2004 ,
+.Sq all ports > 2000 and < 2004 ,
hence ports 2001, 2002 and 2003.
-.It Ar port 2000 \*(Lt\*(Gt 2004
+.It Ar port 2000 <> 2004
means
-.Sq all ports \*(Lt 2000 or \*(Gt 2004 ,
+.Sq all ports < 2000 or > 2004 ,
hence ports 1-1999 and 2005-65535.
.El
.Pp
@@ -1917,7 +1917,7 @@ The host, port and OS specifications are optional, as in
the following examples:
.Bd -literal -offset indent
pass in all
pass in from any to any
-pass in proto tcp from any port \*(Lt 1024 to any
+pass in proto tcp from any port < 1024 to any
pass in proto tcp from any to any port 25
pass in proto tcp from 10.0.0.0/8 port >= 1024 \e
to ! 10.1.2.3 port != ssh
@@ -1978,7 +1978,7 @@ The following example allows only selected users to open
outgoing
connections:
.Bd -literal -offset indent
block out proto { tcp, udp } all
-pass out proto { tcp, udp } all user { \*(Lt 1000, dhartmei }
+pass out proto { tcp, udp } all user { < 1000, dhartmei }
.Ed
.It Xo Ar flags Aq Ar a
.Pf / Ns Aq Ar b
@@ -2132,15 +2132,15 @@ For example:
.Bd -literal -offset indent
ips = \&"{ 1.2.3.4, 1.2.3.5 }\&"
pass in proto tcp from any to $ips \e
- port \*(Gt 1023 label \&"$dstaddr:$dstport\&"
+ port > 1023 label \&"$dstaddr:$dstport\&"
.Ed
.Pp
expands to
.Bd -literal -offset indent
pass in inet proto tcp from any to 1.2.3.4 \e
- port \*(Gt 1023 label \&"1.2.3.4:\*(Gt1023\&"
+ port > 1023 label \&"1.2.3.4:>1023\&"
pass in inet proto tcp from any to 1.2.3.5 \e
- port \*(Gt 1023 label \&"1.2.3.5:\*(Gt1023\&"
+ port > 1023 label \&"1.2.3.5:>1023\&"
.Ed
.Pp
The macro expansion for the
@@ -2615,9 +2615,9 @@ table and have all states originating from it flushed.
Any new packets arriving from this host will be dropped unconditionally
by the block rule.
.Bd -literal -offset indent
-block quick from \*(Ltbad_hosts\*(Gt
+block quick from <bad_hosts>
pass in on $ext_if proto tcp to $webserver port www keep state \e
- (max-src-conn-rate 100/10, overload \*(Ltbad_hosts\*(Gt flush global)
+ (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
.Ed
.Sh OPERATING SYSTEM FINGERPRINTING
Passive OS Fingerprinting is a mechanism to inspect nuances of a TCP
@@ -3048,7 +3048,7 @@ and therefore lacks permission to bind to port 80).
ext_if = \&"ne3\&"
# map daemon on 8080 to appear to be on 80
-rdr on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 port 8080
+rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080
.Ed
.Pp
If the
@@ -3056,7 +3056,7 @@ If the
modifier is given, packets matching the translation rule are passed without
inspecting the filter rules:
.Bd -literal
-rdr pass on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 \e
+rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 \e
port 8080
.Ed
.Pp
@@ -3069,7 +3069,7 @@ network appear as though it is the Internet routable
address
for the nodes on vlan12.
(Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.)
.Bd -literal
-nat on ! vlan12 from 192.168.168.0/24 to any -\*(Gt 204.92.77.111
+nat on ! vlan12 from 192.168.168.0/24 to any -> 204.92.77.111
.Ed
.Pp
In the example below, the machine sits between a fake internal 144.19.74.*
@@ -3080,7 +3080,7 @@ rule excludes protocol AH from being translated.
.Bd -literal
# NO NAT
no nat on $ext_if proto ah from 144.19.74.0/24 to any
-nat on $ext_if from 144.19.74.0/24 to any -\*(Gt 204.92.77.100
+nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100
.Ed
.Pp
In the example below, packets bound for one specific server, as well as those
@@ -3089,7 +3089,7 @@ generated by the sysadmins are not proxied; all other
connections are.
# NO RDR
no rdr on $int_if proto { tcp, udp } from any to $server port 80
no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80
-rdr on $int_if proto { tcp, udp } from any to any port 80 -\*(Gt 127.0.0.1 \e
+rdr on $int_if proto { tcp, udp } from any to any port 80 -> 127.0.0.1 \e
port 80
.Ed
.Pp
@@ -3107,20 +3107,20 @@ manpage.
# NAT
# Translate outgoing packets' source addresses (any protocol).
# In this case, any address but the gateway's external address is mapped.
-nat on $ext_if inet from ! ($ext_if) to any -\*(Gt ($ext_if)
+nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
# NAT PROXYING
# Map outgoing packets' source port to an assigned proxy port instead of
# an arbitrary port.
# In this case, proxy outgoing isakmp with port 500 on the gateway.
-nat on $ext_if inet proto udp from any port = isakmp to any -\*(Gt ($ext_if) \e
+nat on $ext_if inet proto udp from any port = isakmp to any -> ($ext_if) \e
port 500
# BINAT
# Translate outgoing packets' source address (any protocol).
# Translate incoming packets' destination address to an internal machine
# (bidirectional).
-binat on $ext_if from 10.1.2.150 to any -\*(Gt $ext_if
+binat on $ext_if from 10.1.2.150 to any -> $ext_if
# Translate packets arriving on $peer_if addressed to 172.22.16.0/20
# to the corresponding address in 172.21.16.0/20 (bidirectional).
@@ -3130,14 +3130,14 @@ binat on $peer_if from 172.21.16.0/20 to any ->
172.22.16.0/20
# Translate incoming packets' destination addresses.
# As an example, redirect a TCP and UDP port to an internal machine.
rdr on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e
- -\*(Gt 10.1.2.151 port 22
+ -> 10.1.2.151 port 22
rdr on $ext_if inet proto udp from any to ($ext_if) port 8080 \e
- -\*(Gt 10.1.2.151 port 53
+ -> 10.1.2.151 port 53
# RDR
# Translate outgoing ftp control connections to send them to localhost
# for proxying with ftp-proxy(8) running on port 8021.
-rdr on $int_if proto tcp from any to any port 21 -\*(Gt 127.0.0.1 port 8021
+rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
.Ed
.Pp
In this example, a NAT gateway is set up to translate internal addresses
@@ -3149,13 +3149,13 @@ network.
# Translate outgoing packets' source addresses using an address pool.
# A given source address is always translated to the same pool address by
# using the source-hash keyword.
-nat on $ext_if inet from any to any -\*(Gt 192.0.2.16/28 source-hash
+nat on $ext_if inet from any to any -> 192.0.2.16/28 source-hash
# RDR ROUND ROBIN
# Translate incoming web server connections to a group of web servers on
# the internal network.
rdr on $ext_if proto tcp from any to any port 80 \e
- -\*(Gt { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
+ -> { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
.Ed
.Sh FILTER EXAMPLES
.Bd -literal
@@ -3248,8 +3248,8 @@ pass out on $ext_if proto tcp from any to any port 80
# tag incoming packets as they are redirected to spamd(8). use the tag
# to pass those packets through the packet filter.
-rdr on $ext_if inet proto tcp from \*(Ltspammers\*(Gt to port smtp \e
- tag SPAMD -\*(Gt 127.0.0.1 port spamd
+rdr on $ext_if inet proto tcp from <spammers> to port smtp \e
+ tag SPAMD -> 127.0.0.1 port spamd
block in on $ext_if
pass in on $ext_if inet proto tcp tagged SPAMD
@@ -3332,7 +3332,7 @@ filteropt = user | group | flags | icmp-type |
icmp6-type | "tos" tos |
nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
[ "on" ifspec ] [ af ]
[ protospec ] hosts [ "tag" string ] [ "tagged" string ]
- [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" )
+ [ "->" ( redirhost | "{" redirhost-list "}" )
[ portspec ] [ pooltype ] [ "static-port" ]
[ "map-e-portset" number "/" number "/" number ] ]
@@ -3341,19 +3341,19 @@ binat-rule = [ "no" ] "binat" [ "pass" [ "log" [
"(" logopts ")" ] ] ]
[ "proto" ( proto-name | proto-number ) ]
"from" address [ "/" mask-bits ] "to" ipspec
[ "tag" string ] [ "tagged" string ]
- [ "-\*(Gt" address [ "/" mask-bits ] ]
+ [ "->" address [ "/" mask-bits ] ]
rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
[ "on" ifspec ] [ af ]
[ protospec ] hosts [ "tag" string ] [ "tagged" string ]
- [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" )
+ [ "->" ( redirhost | "{" redirhost-list "}" )
[ portspec ] [ pooltype ] ]
antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
"for" ifspec [ af ] [ "label" string ]
[ "ridentifier" number ]
-table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ]
+table-rule = "table" "<" string ">" [ tableopts-list ]
tableopts-list = tableopts-list tableopts | tableopts
tableopts = "persist" | "const" | "counters" | "file" string |
"{" [ tableaddr-list ] "}"
@@ -3417,7 +3417,7 @@ hosts = "all" |
"{" host-list "}" ) [ port ]
ipspec = "any" | host | "{" host-list "}"
-host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" )
+host = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" )
redirhost = address [ "/" mask-bits ]
routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")"
address = ( interface-name | interface-group |
@@ -3433,9 +3433,9 @@ os = "os" ( os-name | "{" os-list "}" )
user = "user" ( unary-op | binary-op | "{" op-list "}" )
group = "group" ( unary-op | binary-op | "{" op-list "}" )
-unary-op = [ "=" | "!=" | "\*(Lt" | "<=" | "\*(Gt" | ">=" ]
+unary-op = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ]
( name | number )
-binary-op = number ( "\*(Lt\*(Gt" | "\*(Gt\*(Lt" | ":" ) number
+binary-op = number ( "<>" | "><" | ":" ) number
op-list = ( unary-op | binary-op ) [ [ "," ] op-list ]
os-name = operating-system-name
@@ -3460,7 +3460,7 @@ state-opt = ( "max" number | "no-sync" | timeout |
"sloppy" |
"max-src-nodes" number | "max-src-states" number |
"max-src-conn" number |
"max-src-conn-rate" number "/" number |
- "overload" "\*(Lt" string "\*(Gt" [ "flush" ] |
+ "overload" "<" string ">" [ "flush" ] |
"if-bound" | "floating" | "pflow" )
fragmentation = [ "fragment reassemble" ]
