Quantcast

pf.conf.5: mention the inversion (!) operator

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

pf.conf.5: mention the inversion (!) operator

Michal Mazurek-2
- mention the inversion operator for "some parameters"
- mention the inversion operator for "received-on" to match "tagged"
- don't wrap a short line
- use spaces, not tabs inside a literal block
- quote the inversion operator when describing BNF syntax (easy to miss):
-                 "label" string | "tag" string | [ ! ] "tagged" string |
+                 "label" string | "tag" string | [ "!" ] "tagged" string |


Index: share/man/man5/pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.558
diff -u -p -r1.558 pf.conf.5
--- share/man/man5/pf.conf.5 15 May 2017 11:24:37 -0000 1.558
+++ share/man/man5/pf.conf.5 15 May 2017 17:30:30 -0000
@@ -131,6 +131,9 @@ matching attributes.
 Certain parameters can be expressed as lists, in which case
 .Xr pfctl 8
 generates all needed rule combinations.
+It's also possible to invert some parameters by specifying the
+.Cm !\&
+operator.
 .Pp
 By default
 .Xr pf 4
@@ -638,12 +641,17 @@ For example, the following rule will dro
 .It Cm prio Ar number
 Only match packets which have the given queueing priority assigned.
 .Pp
-.It Cm received-on Ar interface
+.It Oo Cm \&! Oc Ns Cm received-on Ar interface
 Only match packets which were received on the specified
 .Cm interface
 (or interface group).
 .Cm any
 will match any existing interface except loopback ones.
+Inverse interface matching can also be done by specifying the
+.Cm !\&
+operator before the
+.Cm received-on
+keyword.
 .Pp
 .It Cm rtable Ar number
 Used to select an alternate routing table for the routing lookup.
@@ -733,8 +741,7 @@ to specify that packets must already
 be tagged with the given
 .Ar string
 in order to match the rule.
-Inverse tag matching can also be done
-by specifying the
+Inverse tag matching can also be done by specifying the
 .Cm !\&
 operator before the
 .Cm tagged
@@ -2690,22 +2697,22 @@ filteropt      = user | group | flags |
                  ( "no" | "keep" | "modulate" | "synproxy" ) "state"
                  [ "(" state-opts ")" ] | "scrub" "(" scrubopts ")" |
                  "fragment" | "allow-opts" | "once" |
- "divert-packet" "port" port | "divert-reply" |
- "divert-to" host "port" port |
-                 "label" string | "tag" string | [ ! ] "tagged" string |
+                 "divert-packet" "port" port | "divert-reply" |
+                 "divert-to" host "port" port |
+                 "label" string | "tag" string | [ "!" ] "tagged" string |
                  "set prio" ( number | "(" number [ [ "," ] number ] ")" ) |
                  "set queue" ( string | "(" string [ [ "," ] string ] ")" ) |
                  "rtable" number | "probability" number"%" | "prio" number |
- "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
- [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
- "binat-to" ( redirhost | "{" redirhost-list "}" )
- [ portspec ] [ pooltype ] |
- "rdr-to" ( redirhost | "{" redirhost-list "}" )
- [ portspec ] [ pooltype ] |
- "nat-to" ( redirhost | "{" redirhost-list "}" )
- [ portspec ] [ pooltype ] [ "static-port" ] |
- [ route ] | [ "set tos" tos ] |
- [ [ "!" ] "received-on" ( interface-name | interface-group ) ]
+                 "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
+                 [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
+                 "binat-to" ( redirhost | "{" redirhost-list "}" )
+                 [ portspec ] [ pooltype ] |
+                 "rdr-to" ( redirhost | "{" redirhost-list "}" )
+                 [ portspec ] [ pooltype ] |
+                 "nat-to" ( redirhost | "{" redirhost-list "}" )
+                 [ portspec ] [ pooltype ] [ "static-port" ] |
+                 [ route ] | [ "set tos" tos ] |
+                 [ [ "!" ] "received-on" ( interface-name | interface-group ) ]
 
 scrubopts      = scrubopt [ [ "," ] scrubopts ]
 scrubopt       = "no-df" | "min-ttl" number | "max-mss" number |

--
Michal Mazurek

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: pf.conf.5: mention the inversion (!) operator

Jason McIntyre-3
On Mon, May 15, 2017 at 07:42:46PM +0200, Michal Mazurek wrote:
> - mention the inversion operator for "some parameters"
> - mention the inversion operator for "received-on" to match "tagged"
> - don't wrap a short line
> - use spaces, not tabs inside a literal block
> - quote the inversion operator when describing BNF syntax (easy to miss):
> -                 "label" string | "tag" string | [ ! ] "tagged" string |
> +                 "label" string | "tag" string | [ "!" ] "tagged" string |
>
>

morning.

i think there are really two diffs here. one, formatting for BNF, is
really hard to read so i want to put that to the side till we address
the other, the "!" operator.

i would prefer to just say upfront that some things can take "!", show
them in the summary line, but not repeat all the "may be inversed"
text. i think the idea of "!" is sufficiently clear that we can get away
with that.

so my suggestion below. after we sort that, we can see whether there are
further formatting changes to make.

jmc

Index: pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.560
diff -u -r1.560 pf.conf.5
--- pf.conf.5 16 May 2017 22:29:02 -0000 1.560
+++ pf.conf.5 17 May 2017 06:33:39 -0000
@@ -128,6 +128,9 @@
 Most parameters are optional.
 If a parameter is specified, the rule only applies to packets with
 matching attributes.
+The matching for some parameters can be inverted with the
+.Cm !\&
+operator.
 Certain parameters can be expressed as lists, in which case
 .Xr pfctl 8
 generates all needed rule combinations.
@@ -638,7 +641,7 @@
 .It Cm prio Ar number
 Only match packets which have the given queueing priority assigned.
 .Pp
-.It Cm received-on Ar interface
+.It Oo Cm \&! Oc Ns Cm received-on Ar interface
 Only match packets which were received on the specified
 .Cm interface
 (or interface group).
@@ -733,12 +736,6 @@
 be tagged with the given
 .Ar string
 in order to match the rule.
-Inverse tag matching can also be done
-by specifying the
-.Cm !\&
-operator before the
-.Cm tagged
-keyword.
 .Pp
 .It Cm tos Ar string | number
 This rule applies to packets with the specified TOS bits set.
@@ -2689,7 +2686,7 @@
                  "fragment" | "allow-opts" | "once" |
  "divert-packet" "port" port | "divert-reply" |
  "divert-to" host "port" port |
-                 "label" string | "tag" string | [ ! ] "tagged" string |
+                 "label" string | "tag" string | [ "!" ] "tagged" string |
                  "set prio" ( number | "(" number [ [ "," ] number ] ")" ) |
                  "set queue" ( string | "(" string [ [ "," ] string ] ")" ) |
                  "rtable" number | "probability" number"%" | "prio" number |

> Index: share/man/man5/pf.conf.5
> ===================================================================
> RCS file: /cvs/src/share/man/man5/pf.conf.5,v
> retrieving revision 1.558
> diff -u -p -r1.558 pf.conf.5
> --- share/man/man5/pf.conf.5 15 May 2017 11:24:37 -0000 1.558
> +++ share/man/man5/pf.conf.5 15 May 2017 17:30:30 -0000
> @@ -131,6 +131,9 @@ matching attributes.
>  Certain parameters can be expressed as lists, in which case
>  .Xr pfctl 8
>  generates all needed rule combinations.
> +It's also possible to invert some parameters by specifying the
> +.Cm !\&
> +operator.
>  .Pp
>  By default
>  .Xr pf 4
> @@ -638,12 +641,17 @@ For example, the following rule will dro
>  .It Cm prio Ar number
>  Only match packets which have the given queueing priority assigned.
>  .Pp
> -.It Cm received-on Ar interface
> +.It Oo Cm \&! Oc Ns Cm received-on Ar interface
>  Only match packets which were received on the specified
>  .Cm interface
>  (or interface group).
>  .Cm any
>  will match any existing interface except loopback ones.
> +Inverse interface matching can also be done by specifying the
> +.Cm !\&
> +operator before the
> +.Cm received-on
> +keyword.
>  .Pp
>  .It Cm rtable Ar number
>  Used to select an alternate routing table for the routing lookup.
> @@ -733,8 +741,7 @@ to specify that packets must already
>  be tagged with the given
>  .Ar string
>  in order to match the rule.
> -Inverse tag matching can also be done
> -by specifying the
> +Inverse tag matching can also be done by specifying the
>  .Cm !\&
>  operator before the
>  .Cm tagged
> @@ -2690,22 +2697,22 @@ filteropt      = user | group | flags |
>                   ( "no" | "keep" | "modulate" | "synproxy" ) "state"
>                   [ "(" state-opts ")" ] | "scrub" "(" scrubopts ")" |
>                   "fragment" | "allow-opts" | "once" |
> - "divert-packet" "port" port | "divert-reply" |
> - "divert-to" host "port" port |
> -                 "label" string | "tag" string | [ ! ] "tagged" string |
> +                 "divert-packet" "port" port | "divert-reply" |
> +                 "divert-to" host "port" port |
> +                 "label" string | "tag" string | [ "!" ] "tagged" string |
>                   "set prio" ( number | "(" number [ [ "," ] number ] ")" ) |
>                   "set queue" ( string | "(" string [ [ "," ] string ] ")" ) |
>                   "rtable" number | "probability" number"%" | "prio" number |
> - "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
> - [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
> - "binat-to" ( redirhost | "{" redirhost-list "}" )
> - [ portspec ] [ pooltype ] |
> - "rdr-to" ( redirhost | "{" redirhost-list "}" )
> - [ portspec ] [ pooltype ] |
> - "nat-to" ( redirhost | "{" redirhost-list "}" )
> - [ portspec ] [ pooltype ] [ "static-port" ] |
> - [ route ] | [ "set tos" tos ] |
> - [ [ "!" ] "received-on" ( interface-name | interface-group ) ]
> +                 "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
> +                 [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
> +                 "binat-to" ( redirhost | "{" redirhost-list "}" )
> +                 [ portspec ] [ pooltype ] |
> +                 "rdr-to" ( redirhost | "{" redirhost-list "}" )
> +                 [ portspec ] [ pooltype ] |
> +                 "nat-to" ( redirhost | "{" redirhost-list "}" )
> +                 [ portspec ] [ pooltype ] [ "static-port" ] |
> +                 [ route ] | [ "set tos" tos ] |
> +                 [ [ "!" ] "received-on" ( interface-name | interface-group ) ]
>  
>  scrubopts      = scrubopt [ [ "," ] scrubopts ]
>  scrubopt       = "no-df" | "min-ttl" number | "max-mss" number |
>
> --
> Michal Mazurek
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: pf.conf.5: mention the inversion (!) operator

Michal Mazurek-2
Now that it was commited, what remains is to convert tabs to spaces inside a
literal block:

Index: share/man/man5/pf.conf.5
===================================================================
RCS file: /cvs/src/share/man/man5/pf.conf.5,v
retrieving revision 1.561
diff -u -p -r1.561 pf.conf.5
--- share/man/man5/pf.conf.5 18 May 2017 11:50:47 -0000 1.561
+++ share/man/man5/pf.conf.5 19 May 2017 06:32:05 -0000
@@ -2668,7 +2668,7 @@ option         = "set" ( [ "timeout" ( t
                  [ "skip on" ifspec ] |
                  [ "debug" ( "emerg" | "alert" | "crit" | "err" |
                  "warning" | "notice" | "info" | "debug" ) ] |
- [ "reassemble" ( "yes" | "no" ) [ "no-df" ] ] )
+                 [ "reassemble" ( "yes" | "no" ) [ "no-df" ] ] )
 
 pf-rule        = action [ ( "in" | "out" ) ]
                  [ "log" [ "(" logopts ")"] ] [ "quick" ]
@@ -2684,22 +2684,22 @@ filteropt      = user | group | flags |
                  ( "no" | "keep" | "modulate" | "synproxy" ) "state"
                  [ "(" state-opts ")" ] | "scrub" "(" scrubopts ")" |
                  "fragment" | "allow-opts" | "once" |
- "divert-packet" "port" port | "divert-reply" |
- "divert-to" host "port" port |
+                 "divert-packet" "port" port | "divert-reply" |
+                 "divert-to" host "port" port |
                  "label" string | "tag" string | [ "!" ] "tagged" string |
                  "set prio" ( number | "(" number [ [ "," ] number ] ")" ) |
                  "set queue" ( string | "(" string [ [ "," ] string ] ")" ) |
                  "rtable" number | "probability" number"%" | "prio" number |
- "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
- [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
- "binat-to" ( redirhost | "{" redirhost-list "}" )
- [ portspec ] [ pooltype ] |
- "rdr-to" ( redirhost | "{" redirhost-list "}" )
- [ portspec ] [ pooltype ] |
- "nat-to" ( redirhost | "{" redirhost-list "}" )
- [ portspec ] [ pooltype ] [ "static-port" ] |
- [ route ] | [ "set tos" tos ] |
- [ [ "!" ] "received-on" ( interface-name | interface-group ) ]
+                 "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
+                 [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
+                 "binat-to" ( redirhost | "{" redirhost-list "}" )
+                 [ portspec ] [ pooltype ] |
+                 "rdr-to" ( redirhost | "{" redirhost-list "}" )
+                 [ portspec ] [ pooltype ] |
+                 "nat-to" ( redirhost | "{" redirhost-list "}" )
+                 [ portspec ] [ pooltype ] [ "static-port" ] |
+                 [ route ] | [ "set tos" tos ] |
+                 [ [ "!" ] "received-on" ( interface-name | interface-group ) ]
 
 scrubopts      = scrubopt [ [ "," ] scrubopts ]
 scrubopt       = "no-df" | "min-ttl" number | "max-mss" number |

--
Michal Mazurek

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: pf.conf.5: mention the inversion (!) operator

Jason McIntyre-3
On Fri, May 19, 2017 at 08:34:54AM +0200, Michal Mazurek wrote:
> Now that it was commited, what remains is to convert tabs to spaces inside a
> literal block:
>

morning.

what's the reason for wanting this?
jmc

> Index: share/man/man5/pf.conf.5
> ===================================================================
> RCS file: /cvs/src/share/man/man5/pf.conf.5,v
> retrieving revision 1.561
> diff -u -p -r1.561 pf.conf.5
> --- share/man/man5/pf.conf.5 18 May 2017 11:50:47 -0000 1.561
> +++ share/man/man5/pf.conf.5 19 May 2017 06:32:05 -0000
> @@ -2668,7 +2668,7 @@ option         = "set" ( [ "timeout" ( t
>                   [ "skip on" ifspec ] |
>                   [ "debug" ( "emerg" | "alert" | "crit" | "err" |
>                   "warning" | "notice" | "info" | "debug" ) ] |
> - [ "reassemble" ( "yes" | "no" ) [ "no-df" ] ] )
> +                 [ "reassemble" ( "yes" | "no" ) [ "no-df" ] ] )
>  
>  pf-rule        = action [ ( "in" | "out" ) ]
>                   [ "log" [ "(" logopts ")"] ] [ "quick" ]
> @@ -2684,22 +2684,22 @@ filteropt      = user | group | flags |
>                   ( "no" | "keep" | "modulate" | "synproxy" ) "state"
>                   [ "(" state-opts ")" ] | "scrub" "(" scrubopts ")" |
>                   "fragment" | "allow-opts" | "once" |
> - "divert-packet" "port" port | "divert-reply" |
> - "divert-to" host "port" port |
> +                 "divert-packet" "port" port | "divert-reply" |
> +                 "divert-to" host "port" port |
>                   "label" string | "tag" string | [ "!" ] "tagged" string |
>                   "set prio" ( number | "(" number [ [ "," ] number ] ")" ) |
>                   "set queue" ( string | "(" string [ [ "," ] string ] ")" ) |
>                   "rtable" number | "probability" number"%" | "prio" number |
> - "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
> - [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
> - "binat-to" ( redirhost | "{" redirhost-list "}" )
> - [ portspec ] [ pooltype ] |
> - "rdr-to" ( redirhost | "{" redirhost-list "}" )
> - [ portspec ] [ pooltype ] |
> - "nat-to" ( redirhost | "{" redirhost-list "}" )
> - [ portspec ] [ pooltype ] [ "static-port" ] |
> - [ route ] | [ "set tos" tos ] |
> - [ [ "!" ] "received-on" ( interface-name | interface-group ) ]
> +                 "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
> +                 [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
> +                 "binat-to" ( redirhost | "{" redirhost-list "}" )
> +                 [ portspec ] [ pooltype ] |
> +                 "rdr-to" ( redirhost | "{" redirhost-list "}" )
> +                 [ portspec ] [ pooltype ] |
> +                 "nat-to" ( redirhost | "{" redirhost-list "}" )
> +                 [ portspec ] [ pooltype ] [ "static-port" ] |
> +                 [ route ] | [ "set tos" tos ] |
> +                 [ [ "!" ] "received-on" ( interface-name | interface-group ) ]
>  
>  scrubopts      = scrubopt [ [ "," ] scrubopts ]
>  scrubopt       = "no-df" | "min-ttl" number | "max-mss" number |
>
> --
> Michal Mazurek
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: pf.conf.5: mention the inversion (!) operator

Michal Mazurek-2
On 07:52:28, 19.05.17, Jason McIntyre wrote:
> On Fri, May 19, 2017 at 08:34:54AM +0200, Michal Mazurek wrote:
> > Now that it was commited, what remains is to convert tabs to spaces inside a
> > literal block:
> >
>
> morning.
>
> what's the reason for wanting this?

Consistency is my only reason.

--
Michal Mazurek

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: pf.conf.5: mention the inversion (!) operator

Jason McIntyre-3
On Fri, May 19, 2017 at 10:47:55AM +0200, Michal Mazurek wrote:

> On 07:52:28, 19.05.17, Jason McIntyre wrote:
> > On Fri, May 19, 2017 at 08:34:54AM +0200, Michal Mazurek wrote:
> > > Now that it was commited, what remains is to convert tabs to spaces inside a
> > > literal block:
> > >
> >
> > morning.
> >
> > what's the reason for wanting this?
>
> Consistency is my only reason.
>

ah, i see. just committed. thanks for the followup;
jmc

Loading...