According to pf_scrub_ip6() pf does not support the scrub options

no-df, random-id, set-tos for IPv6 rules.  Check this in pfctl and
document it in pf.conf(5).
ok henning@ jmc@

1 files changed, 5 insertions, 5 deletions

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index ad79cf94300..f3fb92cbcb6 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.485 2010/12/23 14:39:21 jmc Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.486 2010/12/31 12:15:31 bluhm Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 23 2010 $
+.Dd $Mdocdate: December 31 2010 $
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -2163,7 +2163,7 @@ Enforces a minimum TTL for matching IP packets.
 .It Ar no-df
 Clears the
 .Ar dont-fragment
-bit from a matching IP packet.
+bit from a matching IPv4 packet.
 Some operating systems have NFS implementations
 which are known to generate fragmented packets with the
 .Ar dont-fragment
@@ -2188,7 +2188,7 @@ is recommended in combination with
 .Ar no-df
 to ensure unique IP identifiers.
 .It Ar random-id
-Replaces the IP identification field with random values to compensate
+Replaces the IPv4 identification field with random values to compensate
 for predictable values generated by many hosts.
 This option only applies to packets that are not fragmented
 after the optional fragment reassembly.
@@ -2243,7 +2243,7 @@ blind attacker would have to guess the timestamp as well.
 .It Xo Ar set-tos Aq Ar string
 .No \*(Ba Aq Ar number
 .Xc
-Enforces a TOS for matching IP packets.
+Enforces a TOS for matching IPv4 packets.
 .Ar string
 may be one of
 .Ar lowdelay ,