tweak OPTIONS; also there is no need to given an example of every "set"

argument, so remove any examples that were not particularly illustrative;

ok henning

1 files changed, 21 insertions, 52 deletions

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 968edddfdca..9a7cacdeb9b 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.419 2009/04/13 19:08:49 jmc Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.420 2009/04/14 08:29:06 jmc Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 13 2009 $
+.Dd $Mdocdate: April 14 2009 $
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -252,11 +252,6 @@ A TCP RST is returned for blocked TCP packets,
 an ICMP UNREACHABLE is returned for blocked UDP packets,
 and all other packets are silently dropped.
 .El
-.Pp
-For example:
-.Bd -literal -offset indent
-set block-policy return
-.Ed
 .It Ar set debug
 Set the debug
 .Ar level
@@ -276,17 +271,11 @@ Generate debug messages only for serious errors.
 Load fingerprints of known operating systems from the given filename.
 By default fingerprints of known operating systems are automatically
 loaded from
-.Xr pf.os 5
-in
-.Pa /etc
+.Xr pf.os 5 ,
 but can be overridden via this option.
 Setting this option may leave a small period of time where the fingerprints
 referenced by the currently active ruleset are inconsistent until the new
 ruleset finishes loading.
-.Pp
-For example:
-.Pp
-.Dl set fingerprints \&"/etc/pf.os.devel\&"
 .It Ar set hostid
 The 32-bit
 .Ar hostid
@@ -297,10 +286,6 @@ failover cluster.
 By default the hostid is set to a pseudo-random value, however it may be
 desirable to manually configure it, for example to more easily identify the
 source of state table entries.
-.Bd -literal -offset indent
-set hostid 1
-.Ed
-.Pp
 The hostid may be specified in either decimal or hexadecimal.
 .It Ar set limit
 Sets hard limits on the memory pools used by the packet filter.
@@ -309,41 +294,38 @@ See
 for an explanation of memory pools.
 .Pp
 For example,
-.Bd -literal -offset indent
-set limit states 20000
-.Ed
-.Pp
-sets the maximum number of entries in the memory pool used by state table
+to set the maximum number of entries in the memory pool used by state table
 entries (generated by
 .Ar pass
 rules which do not specify
 .Ar no state )
-to 20000.
-Using
+to 20000:
 .Bd -literal -offset indent
-set limit frags 20000
+set limit states 20000
 .Ed
 .Pp
-sets the maximum number of entries in the memory pool used for fragment
-reassembly to 20000.
-Using
+To set the maximum number of entries in the memory pool used for fragment
+reassembly to 20000:
 .Bd -literal -offset indent
-set limit src-nodes 2000
+set limit frags 20000
 .Ed
 .Pp
-sets the maximum number of entries in the memory pool used for tracking
+To set the maximum number of entries in the memory pool used for tracking
 source IP addresses (generated by the
 .Ar sticky-address
 and
 .Ar src.track
-options) to 2000.
-Using
+options) to 2000:
+.Bd -literal -offset indent
+set limit src-nodes 2000
+.Ed
+.Pp
+To set limits on the memory pools used by tables:
 .Bd -literal -offset indent
 set limit tables 1000
 set limit table-entries 100000
 .Ed
 .Pp
-sets limits on the memory pools used by tables.
 The first limits the number of tables that can exist to 1000.
 The second limits the overall number of addresses that can be stored
 in tables to 100000.
@@ -355,7 +337,7 @@ set limit { states 20000, frags 20000, src-nodes 2000 }
 .It Ar set loginterface
 Enable collection of packet and byte count statistics for the given
 interface or interface group.
-These statistics can be viewed using
+These statistics can be viewed using:
 .Bd -literal -offset indent
 # pfctl -s info
 .Ed
@@ -393,18 +375,13 @@ Suitable for almost all networks.
 Alias for
 .Ar high-latency .
 .El
-.Pp
-For example:
-.Bd -literal -offset indent
-set optimization aggressive
-.Ed
 .It Ar set reassemble
 The
 .Ar reassemble
 option turns reassembly of fragmented packets on or off.
 If
 .Ar no-df
-is given fragments with the
+is given, fragments with the
 .Ar dont-fragment
 bit set have it cleared before entering the fragment cache,
 and thus the reassembled packet doesn't have
@@ -469,9 +446,6 @@ Packets passing in or out on such interfaces are passed as if pf was
 disabled, i.e. pf does not process them in any way.
 This can be useful on loopback and other virtual interfaces, when
 packet filtering is not desired and can have unexpected effects.
-For example:
-.Pp
-.Dl set skip on lo0
 .It Ar set state-defaults
 The
 .Ar state-defaults
@@ -493,11 +467,6 @@ States are bound to interface.
 .It Ar floating
 States can match packets on any interfaces (the default).
 .El
-.Pp
-For example:
-.Bd -literal -offset indent
-set state-policy if-bound
-.Ed
 .It Ar set timeout
 .Pp
 .Bl -tag -width "src.track" -compact
@@ -512,7 +481,7 @@ expires.
 .Pp
 When a packet matches a stateful connection, the seconds to live for the
 connection will be updated to that of the
-.Ar proto.modifier
+protocol and modifier
 which corresponds to the connection state.
 Each packet which matches this state will reset the TTL.
 Tuning these values may improve the performance of the
@@ -572,13 +541,13 @@ entries grows.
 .It Ar adaptive.end
 When reaching this number of state entries, all timeout values become
 zero, effectively purging all state entries immediately.
-This value is used to define the scale factor, it should not actually
+This value is used to define the scale factor; it should not actually
 be reached (set a lower state limit, see below).
 .It Ar adaptive.start
 When the number of state entries exceeds this value, adaptive scaling
 begins.
 All timeout values are scaled linearly with factor
-(adaptive.end - number of states) / (adaptive.end - adaptive.start).
+(adaptive.end \- number of states) / (adaptive.end \- adaptive.start).
 .El
 .Pp
 Adaptive timeouts are enabled by default, with an adaptive.start value