Add gid based filtering, reduce to one (effective) uid, rename parser

keywords to 'user' and 'group'.

1 files changed, 14 insertions, 12 deletions

diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index d05e4fb463d..eef2d49e932 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.44 2002/05/09 21:58:12 jasoni Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.45 2002/05/12 00:54:56 dhartmei Exp $
 .\"
 .\" Copyright (c) 2001, Daniel Hartmeier
 .\" All rights reserved.
@@ -51,7 +51,7 @@ rule           = action ( "in" | "out" )
                  [ "proto" ( proto-name | proto-number |
                              "{" proto-list "}" ) ]
                  hosts
-                 [ ruid ] [ euid ] [ flags ]
+                 [ user ] [ group ] [ flags ]
                  [ icmp-type | ipv6-icmp-type ]
                  [ "keep state" ] [ "modulate state" ]
                  [ "fragment" ] [ "no-df" ] [ "min-ttl" number ]
@@ -84,8 +84,8 @@ address        = ( interface-name | '(' interface-name ')' | host-name |
 host-list      = host [ "," host-list ] .
 
 port           = "port" ( unary-op | binary-op | "{" op-list "}" ) .
-ruid           = "ruid" ( unary-op | binary-op | "{" op-list "}" ) .
-euid           = "euid" ( unary-op | binary-op | "{" op-list "}" ) .
+user           = "user" ( unary-op | binary-op | "{" op-list "}" ) .
+group          = "group" ( unary-op | binary-op | "{" op-list "}" ) .
 
 unary-op       = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ]
                  ( name | number ) .
@@ -271,26 +271,28 @@ show:
     pass in proto tcp from any to any port 25
     pass in proto tcp from 10.0.0.0/8 port > 1024 to ! 10.1.2.3 port != 22
 .Ed
-.Ss ruid <ruid> euid <euid>
-The rule only applies to packets of sockets owned by the respective real
-and effective user IDs.
+.Ss user <user> group <group>
+The rule only applies to packets of sockets owned by the specified user
+and group.
 For outgoing connections initiated from the firewall, this is the user
 that opened the connection.
 For incoming connections to the firewall itself, this is the user that
 listens on the destination port.
 For forwarded connections, where the firewall isn't a connection endpoint,
-the user is
+the user and group are
 .Em unknown .
 All packets, both outgoing and incoming, of one connection are associated
 with the same user.
 Only TCP and UDP packets can be associated with users, for other protocols
 these parameters are ignored.
-Note that user IDs are stored when a socket is created;
+User and group refer to the effective (as opposed to the real) IDs, in
+case the socket is created by a setuid/setgid process.
+Note that user and group IDs are stored when a socket is created;
 when a process creates a listening socket as root (for instance, because
 it wants to bind to a privileged port) and subsequently sets another
 user ID (to drop privileges), the socket's uid remains root.
-User IDs can be specified as either numbers or names, the syntax is
-similar to the one for ports.
+User and group IDs can be specified as either numbers or names, the
+syntax is similar to the one for ports.
 The value
 .Em unknown
 matches packets of forwarded connections.
@@ -298,7 +300,7 @@ Example:
 .Bd -literal
     # allow only specific users to open outgoing connections
     block out proto { tcp, udp } all
-    pass  out proto { tcp, udp } all ruid { < 1000, dhartmei } keep state
+    pass  out proto { tcp, udp } all user { < 1000, dhartmei } keep state
 .Ed
 .Ss flags <a> | <a>/<b> | /<b>
 The rule only applies to TCP packets that have the flags <a> set