- replace <> with .Aq

- replace OpenBSD with .Ox

from wiz@netbsd

1 files changed, 144 insertions, 110 deletions

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 8a844fe474f..4157afe870d 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.342 2006/03/14 11:09:44 djm Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.343 2006/04/30 10:12:21 jmc Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -181,9 +181,9 @@ when running with
 .Pp
 For example,
 .Bd -literal -offset indent
-table <private> const { 10/8, 172.16/12, 192.168/16 }
-table <badhosts> persist
-block on fxp0 from { <private>, <badhosts> } to any
+table \*(Ltprivate\*(Gt const { 10/8, 172.16/12, 192.168/16 }
+table \*(Ltbadhosts\*(Gt persist
+block on fxp0 from { \*(Ltprivate\*(Gt, \*(Ltbadhosts\*(Gt } to any
 .Ed
 .Pp
 creates a table called private, to hold RFC 1918 private network
@@ -201,8 +201,8 @@ these hosts can be blocked by using
 A table can also be initialized with an address list specified in one or more
 external files, using the following syntax:
 .Bd -literal -offset indent
-table <spam> persist file \&"/etc/spammers\&" file \&"/etc/openrelays\&"
-block on fxp0 from <spam> to any
+table \*(Ltspam\*(Gt persist file \&"/etc/spammers\&" file \&"/etc/openrelays\&"
+block on fxp0 from \*(Ltspam\*(Gt to any
 .Ed
 .Pp
 The files
@@ -491,7 +491,7 @@ For example:
 .Pp
 .Dl set fingerprints \&"/etc/pf.os.devel\&"
 .Pp
-.It Ar set skip on <ifspec>
+.It Ar set skip on Aq Ar ifspec
 List interfaces for which packets should not be filtered.
 Packets passing in or out on such interfaces are passed as if pf was
 disabled, i.e. pf does not process them in any way.
@@ -558,9 +558,9 @@ Using the
 modifier (see below) is recommended in combination with the
 .Ar no-df
 modifier to ensure unique IP identifiers.
-.It Ar min-ttl <number>
+.It Ar min-ttl Aq Ar number
 Enforces a minimum TTL for matching IP packets.
-.It Ar max-mss <number>
+.It Ar max-mss Aq Ar number
 Enforces a maximum MSS for matching TCP packets.
 .It Ar random-id
 Replaces the IP identification field with random values to compensate
@@ -771,9 +771,9 @@ declaration.
 .Ar altq on
 has the following keywords:
 .Bl -tag -width xxxx
-.It Ar <interface>
+.It Aq Ar interface
 Queueing is enabled on the named interface.
-.It Ar <scheduler>
+.It Aq Ar scheduler
 Specifies which queueing scheduler to use.
 Currently supported values
 are
@@ -783,7 +783,7 @@ for Class Based Queueing,
 for Priority Queueing and
 .Ar hfsc
 for the Hierarchical Fair Service Curve scheduler.
-.It Ar bandwidth <bw>
+.It Ar bandwidth Aq Ar bw
 The maximum bitrate for all queues on an
 interface may be specified using the
 .Ar bandwidth
@@ -802,14 +802,14 @@ The value must not exceed the interface bandwidth.
 If
 .Ar bandwidth
 is not specified, the interface bandwidth is used.
-.It Ar qlimit <limit>
+.It Ar qlimit Aq Ar limit
 The maximum number of packets held in the queue.
 The default is 50.
-.It Ar tbrsize <size>
+.It Ar tbrsize Aq Ar size
 Adjusts the size, in bytes, of the token bucket regulator.
 If not specified, heuristics based on the
 interface bandwidth are used to determine the size.
-.It Ar queue <list>
+.It Ar queue Aq Ar list
 Defines a list of subqueues to create on an interface.
 .El
 .Pp
@@ -838,10 +838,10 @@ in a parent
 declaration.
 The following keywords can be used:
 .Bl -tag -width xxxx
-.It Ar on <interface>
+.It Ar on Aq Ar interface
 Specifies the interface the queue operates on.
 If not given, it operates on all matching interfaces.
-.It Ar bandwidth <bw>
+.It Ar bandwidth Aq Ar bw
 Specifies the maximum bitrate to be processed by the queue.
 This value must not exceed the value of the parent
 .Ar queue
@@ -851,7 +851,7 @@ If not specified, defaults to 100% of the parent queue's bandwidth.
 The
 .Ar priq
 scheduler does not support bandwidth specification.
-.It Ar priority <level>
+.It Ar priority Aq Ar level
 Between queues a priority level can be set.
 For
 .Ar cbq
@@ -867,7 +867,7 @@ queues with a higher priority are always served first.
 and
 .Ar Hfsc
 queues with a higher priority are preferred in the case of overload.
-.It Ar qlimit <limit>
+.It Ar qlimit Aq Ar limit
 The maximum number of packets held in the queue.
 The default is 50.
 .El
@@ -875,7 +875,9 @@ The default is 50.
 The
 .Ar scheduler
 can get additional parameters with
-.Ar <scheduler> Ns Li (\& Ar <parameters> No ) .
+.Xo Aq Ar scheduler
+.Pf ( Aq Ar parameters ) .
+.Xc
 Parameters are as follows:
 .Bl -tag -width Fl
 .It Ar default
@@ -909,15 +911,16 @@ The
 .Ar scheduler
 supports some additional options:
 .Bl -tag -width Fl
-.It Ar realtime <sc>
+.It Ar realtime Aq Ar sc
 The minimum required bandwidth for the queue.
-.It Ar upperlimit <sc>
+.It Ar upperlimit Aq Ar sc
 The maximum allowed bandwidth for the queue.
-.It Ar linkshare <sc>
+.It Ar linkshare Aq Ar sc
 The bandwidth share of a backlogged queue.
 .El
 .Pp
-<sc> is an acronym for
+.Aq Ar sc
+is an acronym for
 .Ar service curve .
 .Pp
 The format for service curve specifications is
@@ -1047,9 +1050,9 @@ The packet is redirected to another destination and possibly a
 different port.
 .Ar rdr
 rules can optionally specify port ranges instead of single ports.
-rdr ... port 2000:2999 -> ... port 4000
+rdr ... port 2000:2999 -\*(Gt ... port 4000
 redirects ports 2000 to 2999 (inclusive) to port 4000.
-rdr ... port 2000:2999 -> ... port 4000:*
+rdr ... port 2000:2999 -\*(Gt ... port 4000:*
 redirects port 2000 to 4000, 2001 to 4001, ..., 2999 to 4999.
 .El
 .Pp
@@ -1094,7 +1097,7 @@ or to the firewall itself.
 Note that redirecting external incoming connections to the loopback
 address, as in
 .Bd -literal -offset indent
-rdr on ne3 inet proto tcp to port spamd -> 127.0.0.1 port smtp
+rdr on ne3 inet proto tcp to port spamd -\*(Gt 127.0.0.1 port smtp
 .Ed
 .Pp
 will effectively allow an external host to connect to daemons
@@ -1253,16 +1256,16 @@ If a packet matches a rule which has the
 option set, this rule
 is considered the last matching rule, and evaluation of subsequent rules
 is skipped.
-.It Ar on <interface>
+.It Ar on Aq Ar interface
 This rule applies only to packets coming in on, or going out through, this
 particular interface or interface group.
-.It Ar <af>
+.It Aq Ar af
 This rule applies only to packets of this address family.
 Supported values are
 .Ar inet
 and
 .Ar inet6 .
-.It Ar proto <protocol>
+.It Ar proto Aq Ar protocol
 This rule applies only to packets of this protocol.
 Common protocols are
 .Xr icmp 4 ,
@@ -1275,8 +1278,11 @@ For a list of all the protocol name to number mappings used by
 see the file
 .Em /etc/protocols .
 .It Xo
-.Ar from <source> port <source> os <source>
-.Ar to <dest> port <dest>
+.Ar from Aq Ar source
+.Ar port Aq Ar source
+.Ar os Aq Ar source
+.Ar to Aq Ar dest
+.Ar port Aq Ar dest
 .Xc
 This rule applies only to packets with the specified source and destination
 addresses and ports.
@@ -1287,9 +1293,9 @@ symbolic host names or interface names, or as any of the following keywords:
 .Bl -tag -width xxxxxxxxxxxxxx -compact
 .It Ar any
 Any address.
-.It Ar route <label>
+.It Ar route Aq Ar label
 Any address whose associated route has label
-.Ar <label> .
+.Aq Ar label .
 See
 .Xr route 4
 and
@@ -1300,7 +1306,7 @@ Any address which is not currently routable.
 Any source address that fails a unicast reverse path forwarding (URPF)
 check, i.e. packets coming in on an interface other than that which holds
 the route back to the packet's source address.
-.It Ar <table>
+.It Aq Ar table
 Any address that matches the given table.
 .El
 .Pp
@@ -1347,30 +1353,33 @@ Ports and ranges of ports are specified by using these operators:
 .Bd -literal -offset indent
 =	(equal)
 !=	(unequal)
-<	(less than)
-<=	(less than or equal)
->	(greater than)
->=	(greater than or equal)
+\*(Lt	(less than)
+\*(Le	(less than or equal)
+\*(Gt	(greater than)
+\*(Ge	(greater than or equal)
 :	(range including boundaries)
-><	(range excluding boundaries)
-<>	(except range)
+\*(Gt\*(Lt	(range excluding boundaries)
+\*(Lt\*(Gt	(except range)
 .Ed
 .Pp
-><, <> and :
+.Sq \*(Gt\*(Lt ,
+.Sq \*(Lt\*(Gt
+and
+.Sq \&:
 are binary operators (they take two arguments).
 For instance:
 .Bl -tag -width Fl
 .It Ar port 2000:2004
 means
-.Sq all ports >= 2000 and <= 2004 ,
+.Sq all ports \*(Ge 2000 and \*(Le 2004 ,
 hence ports 2000, 2001, 2002, 2003 and 2004.
-.It Ar port 2000 >< 2004
+.It Ar port 2000 \*(Gt\*(Lt 2004
 means
-.Sq all ports > 2000 and < 2004 ,
+.Sq all ports \*(Gt 2000 and \*(Lt 2004 ,
 hence ports 2001, 2002 and 2003.
-.It Ar port 2000 <> 2004
+.It Ar port 2000 \*(Lt\*(Gt 2004
 means
-.Sq all ports < 2000 or > 2004 ,
+.Sq all ports \*(Lt 2000 or \*(Gt 2004 ,
 hence ports 1-1999 and 2005-65535.
 .El
 .Pp
@@ -1386,20 +1395,20 @@ The host, port and OS specifications are optional, as in the following examples:
 .Bd -literal -offset indent
 pass in all
 pass in from any to any
-pass in proto tcp from any port <= 1024 to any
+pass in proto tcp from any port \*(Le 1024 to any
 pass in proto tcp from any to any port 25
-pass in proto tcp from 10.0.0.0/8 port > 1024 \e
+pass in proto tcp from 10.0.0.0/8 port \*(Gt 1024 \e
       to ! 10.1.2.3 port != ssh
 pass in proto tcp from any os "OpenBSD" flags S/SA
 pass in proto tcp from route "DTAG"
 .Ed
 .It Ar all
 This is equivalent to "from any to any".
-.It Ar group <group>
+.It Ar group Aq Ar group
 Similar to
 .Ar user ,
 this rule only applies to packets of sockets owned by the specified group.
-.It Ar user <user>
+.It Ar user Aq Ar user
 This rule only applies to packets of sockets owned by the specified user.
 For outgoing connections initiated from the firewall, this is the user
 that opened the connection.
@@ -1432,7 +1441,7 @@ can only be used with the operators
 and
 .Cm != .
 Other constructs like
-.Cm user >= unknown
+.Cm user \*(Ge unknown
 are invalid.
 Forwarded packets with unknown user and group ID match only rules
 that explicitly compare against
@@ -1442,22 +1451,25 @@ with the operators
 or
 .Cm != .
 For instance
-.Cm user >= 0
+.Cm user \*(Ge 0
 does not match forwarded packets.
 The following example allows only selected users to open outgoing
 connections:
 .Bd -literal -offset indent
 block out proto { tcp, udp } all
 pass  out proto { tcp, udp } all \e
-      user { < 1000, dhartmei } keep state
+      user { \*(Lt 1000, dhartmei } keep state
 .Ed
-.It Ar flags <a>/<b> | /<b>
+.It Xo Ar flags Aq Ar a
+.Pf / Ns Aq Ar b
+.No \*(Ba / Ns Aq Ar b
+.Xc
 This rule only applies to TCP packets that have the flags
-.Ar <a>
+.Aq Ar a
 set out of set
-.Ar <b> .
+.Aq Ar b .
 Flags not specified in
-.Ar <b>
+.Aq Ar b
 are ignored.
 The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R.
 .Bl -tag -width Fl
@@ -1472,8 +1484,12 @@ This is more restrictive than the previous example.
 If the first set is not specified, it defaults to none.
 All of SYN, FIN, RST and ACK must be unset.
 .El
-.It Ar icmp-type <type> code <code>
-.It Ar icmp6-type <type> code <code>
+.It Xo Ar icmp-type Aq Ar type
+.Ar code Aq Ar code
+.Xc
+.It Xo Ar icmp6-type Aq Ar type
+.Ar code Aq Ar code
+.Xc
 This rule only applies to ICMP or ICMPv6 packets with the specified type
 and code.
 Text names for ICMP types and codes are listed in
@@ -1503,7 +1519,7 @@ The implicit
 .Ar pass
 rule that is used when a packet does not match any rules does not
 allow IP options.
-.It Ar label <string>
+.It Ar label Aq Ar string
 Adds a label (name) to the rule, which can be used to identify the rule.
 For instance,
 pfctl -s labels
@@ -1532,21 +1548,24 @@ For example:
 .Bd -literal -offset indent
 ips = \&"{ 1.2.3.4, 1.2.3.5 }\&"
 pass in proto tcp from any to $ips \e
-      port > 1023 label \&"$dstaddr:$dstport\&"
+      port \*(Gt 1023 label \&"$dstaddr:$dstport\&"
 .Ed
 .Pp
 expands to
 .Bd -literal -offset indent
 pass in inet proto tcp from any to 1.2.3.4 \e
-      port > 1023 label \&"1.2.3.4:>1023\&"
+      port \*(Gt 1023 label \&"1.2.3.4:\*(Gt1023\&"
 pass in inet proto tcp from any to 1.2.3.5 \e
-      port > 1023 label \&"1.2.3.5:>1023\&"
+      port \*(Gt 1023 label \&"1.2.3.5:\*(Gt1023\&"
 .Ed
 .Pp
 The macro expansion for the
 .Ar label
 directive occurs only at configuration file parse time, not during runtime.
-.It Ar queue <queue> | ( <queue> , <queue> )
+.It Xo Ar queue Aq Ar queu
+.No \*(Ba ( Aq Ar queue ,
+.Aq Ar queue )
+.Xc
 Packets matching this rule will be assigned to the specified queue.
 If two queues are given, packets which have a
 .Em tos
@@ -1562,7 +1581,7 @@ For example:
 pass in proto tcp to port 25 queue mail
 pass in proto tcp to port 22 queue(ssh_bulk, ssh_prio)
 .Ed
-.It Ar tag <string>
+.It Ar tag Aq Ar string
 Packets matching this rule will be tagged with the
 specified string.
 The tag acts as an internal marker that can be used to
@@ -1584,7 +1603,7 @@ or
 .Ar binat
 rules in addition to filter rules.
 Tags take the same macros as labels (see above).
-.It Ar tagged <string>
+.It Ar tagged Aq Ar string
 Used with filter or translation rules to specify that packets must already
 be tagged with the given tag in order to match the rule.
 Inverse tag matching can also be done
@@ -1593,7 +1612,7 @@ by specifying the
 operator before the
 .Ar tagged
 keyword.
-.It Ar probability <number>
+.It Ar probability Aq Ar number
 A probability attribute can be attached to a rule, with a value set between
 0 and 1, bounds not included.
 In that case, the rule will be honoured using the given probability value
@@ -1932,7 +1951,7 @@ and
 support the following options:
 .Pp
 .Bl -tag -width xxxx -compact
-.It Ar max <number>
+.It Ar max Aq Ar number
 Limits the number of concurrent states the rule may create.
 When this limit is reached, further packets matching the rule that would
 create state are dropped, until existing states time out.
@@ -1940,7 +1959,9 @@ create state are dropped, until existing states time out.
 Prevent state changes for states created by this rule from appearing on the
 .Xr pfsync 4
 interface.
-.It Ar <timeout> <seconds>
+.It Xo Aq Ar timeout
+.Aq Ar seconds
+.Xc
 Changes the timeout values used for states created by this rule.
 For a list of all valid timeout names, see
 .Sx OPTIONS
@@ -1981,10 +2002,10 @@ each individual rule's limits.
 The following limits can be set:
 .Pp
 .Bl -tag -width xxxx -compact
-.It Ar max-src-nodes <number>
+.It Ar max-src-nodes Aq Ar number
 Limits the maximum number of source addresses which can simultaneously
 have state table entries.
-.It Ar max-src-states <number>
+.It Ar max-src-states Aq Ar number
 Limits the maximum number of simultaneous state entries that a single
 source address can create with this rule.
 .El
@@ -1994,10 +2015,12 @@ which have completed the TCP 3-way handshake) can also be enforced
 per source IP.
 .Pp
 .Bl -tag -width xxxx -compact
-.It Ar max-src-conn <number>
+.It Ar max-src-conn Aq Ar number
 Limits the maximum number of simultaneous TCP connections which have
 completed the 3-way handshake that a single host can make.
-.It Ar max-src-conn-rate <number> / <seconds>
+.It Xo Ar max-src-conn-rate Aq Ar number
+.No / Aq Ar seconds
+.Xc
 Limit the rate of new connections over a time interval.
 The connection rate is an approximation calculated as a moving average.
 .El
@@ -2005,7 +2028,7 @@ The connection rate is an approximation calculated as a moving average.
 Because the 3-way handshake ensures that the source address is not being
 spoofed, more aggressive action can be taken based on these limits.
 With the
-.Ar overload <table>
+.Ar overload Aq Ar table
 state option, source IP addresses which hit either of the limits on
 established connections will be added to the named table.
 This table can be used in the ruleset to block further activity from
@@ -2024,13 +2047,15 @@ offending host, regardless of which rule created the state.
 For example, the following rules will protect the webserver against
 hosts making more than 100 connections in 10 seconds.
 Any host which connects faster than this rate will have its address added
-to the <bad_hosts> table and have all states originating from it flushed.
+to the
+.Aq bad_hosts
+table and have all states originating from it flushed.
 Any new packets arriving from this host will be dropped unconditionally
 by the block rule.
 .Bd -literal -offset indent
-block quick from <bad_hosts>
+block quick from \*(Ltbad_hosts\*(Gt
 pass in on $ext_if proto tcp to $webserver port www flags S/SA keep state \e
-	(max-src-conn-rate 100/10, overload <bad_hosts> flush global)
+	(max-src-conn-rate 100/10, overload \*(Ltbad_hosts\*(Gt flush global)
 .Ed
 .Sh OPERATING SYSTEM FINGERPRINTING
 Passive OS Fingerprinting is a mechanism to inspect nuances of a TCP
@@ -2043,17 +2068,23 @@ upon.
 The fingerprints may be specified by operating system class, by
 version, or by subtype/patchlevel.
 The class of an operating system is typically the vendor or genre
-and would be OpenBSD for the
+and would be
+.Ox
+for the
 .Xr pf 4
 firewall itself.
-The version of the oldest available OpenBSD release on the main ftp site
+The version of the oldest available
+.Ox
+release on the main FTP site
 would be 2.6 and the fingerprint would be written
 .Pp
 .Dl \&"OpenBSD 2.6\&"
 .Pp
 The subtype of an operating system is typically used to describe the
 patchlevel if that patch led to changes in the TCP stack behavior.
-In the case of OpenBSD, the only subtype is for a fingerprint that was
+In the case of
+.Ox ,
+the only subtype is for a fingerprint that was
 normalized by the
 .Ar no-df
 scrub option and would be specified as
@@ -2235,25 +2266,28 @@ attachment point
 using the following kinds
 of rules:
 .Bl -tag -width xxxx
-.It Ar nat-anchor <name>
+.It Ar nat-anchor Aq Ar name
 Evaluates the
 .Ar nat
 rules in the specified
 .Ar anchor .
-.It Ar rdr-anchor <name>
+.It Ar rdr-anchor Aq Ar name
 Evaluates the
 .Ar rdr
 rules in the specified
 .Ar anchor .
-.It Ar binat-anchor <name>
+.It Ar binat-anchor Aq Ar name
 Evaluates the
 .Ar binat
 rules in the specified
 .Ar anchor .
-.It Ar anchor <name>
+.It Ar anchor Aq Ar name
 Evaluates the filter rules in the specified
 .Ar anchor .
-.It Ar load anchor <name> from <file>
+.It Xo Ar load anchor
+.Aq Ar name
+.Ar from Aq Ar file
+.Xc
 Loads the rules from the specified file into the
 anchor
 .Ar name .
@@ -2414,7 +2448,7 @@ and therefore lacks permission to bind to port 80).
 ext_if = \&"ne3\&"
 
 # map daemon on 8080 to appear to be on 80
-rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080
+rdr on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 port 8080
 .Ed
 .Pp
 If the
@@ -2422,7 +2456,7 @@ If the
 modifier is given, packets matching the translation rule are passed without
 inspecting the filter rules:
 .Bd -literal
-rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 \e
+rdr pass on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 \e
       port 8080
 .Ed
 .Pp
@@ -2435,7 +2469,7 @@ network appear as though it is the Internet routable address
 for the nodes on vlan12.
 (Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.)
 .Bd -literal
-nat on ! vlan12 from 192.168.168.0/24 to any -> 204.92.77.111
+nat on ! vlan12 from 192.168.168.0/24 to any -\*(Gt 204.92.77.111
 .Ed
 .Pp
 In the example below, the machine sits between a fake internal 144.19.74.*
@@ -2446,7 +2480,7 @@ rule excludes protocol AH from being translated.
 .Bd -literal
 # NO NAT
 no nat on $ext_if proto ah from 144.19.74.0/24 to any
-nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100
+nat on $ext_if from 144.19.74.0/24 to any -\*(Gt 204.92.77.100
 .Ed
 .Pp
 In the example below, packets bound for one specific server, as well as those
@@ -2455,7 +2489,7 @@ generated by the sysadmins are not proxied; all other connections are.
 # NO RDR
 no rdr on $int_if proto { tcp, udp } from any to $server port 80
 no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80
-rdr on $int_if proto { tcp, udp } from any to any port 80 -> 127.0.0.1 \e
+rdr on $int_if proto { tcp, udp } from any to any port 80 -\*(Gt 127.0.0.1 \e
       port 80
 .Ed
 .Pp
@@ -2473,33 +2507,33 @@ manpage.
 # NAT
 # Translate outgoing packets' source addresses (any protocol).
 # In this case, any address but the gateway's external address is mapped.
-nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
+nat on $ext_if inet from ! ($ext_if) to any -\*(Gt ($ext_if)
 
 # NAT PROXYING
 # Map outgoing packets' source port to an assigned proxy port instead of
 # an arbitrary port.
 # In this case, proxy outgoing isakmp with port 500 on the gateway.
-nat on $ext_if inet proto udp from any port = isakmp to any -> ($ext_if) \e
+nat on $ext_if inet proto udp from any port = isakmp to any -\*(Gt ($ext_if) \e
       port 500
 
 # BINAT
 # Translate outgoing packets' source address (any protocol).
 # Translate incoming packets' destination address to an internal machine
 # (bidirectional).
-binat on $ext_if from 10.1.2.150 to any -> $ext_if
+binat on $ext_if from 10.1.2.150 to any -\*(Gt $ext_if
 
 # RDR
 # Translate incoming packets' destination addresses.
 # As an example, redirect a TCP and UDP port to an internal machine.
 rdr on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e
-      -> 10.1.2.151 port 22
+      -\*(Gt 10.1.2.151 port 22
 rdr on $ext_if inet proto udp from any to ($ext_if) port 8080 \e
-      -> 10.1.2.151 port 53
+      -\*(Gt 10.1.2.151 port 53
 
 # RDR
 # Translate outgoing ftp control connections to send them to localhost
 # for proxying with ftp-proxy(8) running on port 8021.
-rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
+rdr on $int_if proto tcp from any to any port 21 -\*(Gt 127.0.0.1 port 8021
 .Ed
 .Pp
 In this example, a NAT gateway is set up to translate internal addresses
@@ -2511,13 +2545,13 @@ network.
 # Translate outgoing packets' source addresses using an address pool.
 # A given source address is always translated to the same pool address by
 # using the source-hash keyword.
-nat on $ext_if inet from any to any -> 192.0.2.16/28 source-hash
+nat on $ext_if inet from any to any -\*(Gt 192.0.2.16/28 source-hash
 
 # RDR ROUND ROBIN
 # Translate incoming web server connections to a group of web servers on
 # the internal network.
 rdr on $ext_if proto tcp from any to any port 80 \e
-      -> { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
+      -\*(Gt { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
 .Ed
 .Sh FILTER EXAMPLES
 .Bd -literal
@@ -2537,7 +2571,7 @@ block return log on $ext_if all
 # block anything coming from source we have no back routes for
 block in from no-route to any
 
-# block packets whose ingress interface does not match the one in 
+# block packets whose ingress interface does not match the one in
 # the route back to their source address
 block in from urpf-failed to any
 
@@ -2610,8 +2644,8 @@ pass out on $ext_if proto tcp from any to any port 80 keep state
 # tag incoming packets as they are redirected to spamd(8). use the tag
 # to pass those packets through the packet filter.
 
-rdr on $ext_if inet proto tcp from <spammers> to port smtp \e
-	tag SPAMD -> 127.0.0.1 port spamd
+rdr on $ext_if inet proto tcp from \*(Ltspammers\*(Gt to port smtp \e
+	tag SPAMD -\*(Gt 127.0.0.1 port spamd
 
 block in on $ext_if
 pass in on $ext_if inet proto tcp tagged SPAMD keep state
@@ -2660,7 +2694,7 @@ filteropt      = user | group | flags | icmp-type | icmp6-type | tos |
 nat-rule       = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
                  [ "on" ifspec ] [ af ]
                  [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
-                 [ "->" ( redirhost | "{" redirhost-list "}" )
+                 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" )
                  [ portspec ] [ pooltype ] [ "static-port" ] ]
 
 binat-rule     = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
@@ -2668,19 +2702,19 @@ binat-rule     = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
                  [ "proto" ( proto-name | proto-number ) ]
                  "from" address [ "/" mask-bits ] "to" ipspec
                  [ "tag" string ] [ "tagged" string ]
-                 [ "->" address [ "/" mask-bits ] ]
+                 [ "-\*(Gt" address [ "/" mask-bits ] ]
 
 rdr-rule       = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
                  [ "on" ifspec ] [ af ]
                  [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
-                 [ "->" ( redirhost | "{" redirhost-list "}" )
+                 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" )
                  [ portspec ] [ pooltype ] ]
 
 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
                  "for" ( interface-name | "{" interface-list "}" )
                  [ af ] [ "label" string ]
 
-table-rule     = "table" "<" string ">" [ tableopts-list ]
+table-rule     = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ]
 tableopts-list = tableopts-list tableopts | tableopts
 tableopts      = "persist" | "const" | "file" string |
                  "{" [ tableaddr-list ] "}"
@@ -2734,7 +2768,7 @@ hosts          = "all" |
                  "{" host-list "}" | "route" string ) [ port ]
 
 ipspec         = "any" | host | "{" host-list "}"
-host           = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" )
+host           = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" )
 redirhost      = address [ "/" mask-bits ]
 routehost      = "(" interface-name [ address [ "/" mask-bits ] ] ")"
 address        = ( interface-name | "(" interface-name ")" | hostname |
@@ -2749,9 +2783,9 @@ os             = "os"  ( os-name | "{" os-list "}" )
 user           = "user" ( unary-op | binary-op | "{" op-list "}" )
 group          = "group" ( unary-op | binary-op | "{" op-list "}" )
 
-unary-op       = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ]
+unary-op       = [ "=" | "!=" | "\*(Lt" | "\*(Le" | "\*(Gt" | "\*(Ge" ]
                  ( name | number )
-binary-op      = number ( "<>" | "><" | ":" ) number
+binary-op      = number ( "\*(Lt\*(Gt" | "\*(Gt\*(Lt" | ":" ) number
 op-list        = ( unary-op | binary-op ) [ [ "," ] op-list ]
 
 os-name        = operating-system-name
@@ -2776,7 +2810,7 @@ state-opt      = ( "max" number | "no-sync" | timeout |
                  "max-src-nodes" number | "max-src-states" number |
                  "max-src-conn" number |
                  "max-src-conn-rate" number "/" number |
-                 "overload" "<" string ">" [ "flush" ] |
+                 "overload" "\*(Lt" string "\*(Gt" [ "flush" ] |
                  "if-bound" | "floating" )
 
 fragmentation  = [ "fragment reassemble" | "fragment crop" |