tree does not compile, spotted by dlg (not obvious how to fix)

----
Change the default for 'overload <table> flush' to flush only states from the
offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.

ok deraadt@ henning@ dhartmei@

1 files changed, 4 insertions, 9 deletions

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 837164fe3d8..b1b56a58b61 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.308 2004/12/07 05:30:27 mcbride Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.309 2004/12/07 09:36:16 deraadt Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -1963,13 +1963,8 @@ host's bandwidth.
 .Pp
 The optional
 .Ar flush
-keyword kills all states created by the matching rule which originate
-from the host which exceeds these limits.
-The
-.Ar global
-modifier to the flush command kills all states originating from the
-offending host, regardless of which rule created the state.
-.Pp
+keyword kills all existing states originating from hosts exceeding these
+limits.
 For example, the following rules will protect the webserver against
 hosts making more than 100 connections in 10 seconds.
 Any host which connects faster than this rate will have its address added
@@ -1979,7 +1974,7 @@ by the block rule.
 .Bd -literal -offset indent
 block quick from <bad_hosts>
 pass in on $ext_if to $webserver port www flags S/SA keep state \e
-	(max-src-conn-rate 100/10, overflow <bad_hosts> flush global)
+	(max-src-conn-rate 100/10, overflow <bad_hosts> flush)
 .Ed
 .Sh OPERATING SYSTEM FINGERPRINTING
 Passive OS Fingerprinting is a mechanism to inspect nuances of a TCP