diff options
author | Peter Stromberg <wilfried@cvs.openbsd.org> | 2001-07-31 09:02:19 +0000 |
---|---|---|
committer | Peter Stromberg <wilfried@cvs.openbsd.org> | 2001-07-31 09:02:19 +0000 |
commit | b0769dbc2507551f4526c8965060598b757d4df7 (patch) | |
tree | c890810de9bc46211229e1fd2596a0c2c520d66f /share | |
parent | 1551f2bd8b7cc0a52785e59576213c36084939f3 (diff) |
allow to test that flags are unset, ok dhartmei@, mickey@
Diffstat (limited to 'share')
-rw-r--r-- | share/man/man5/pf.conf.5 | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 3596c52aa7f..e7cd50bd084 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.9 2001/07/22 20:47:19 krw Exp $ +.\" $OpenBSD: pf.conf.5,v 1.10 2001/07/31 09:02:18 wilfried Exp $ .\" .\" Copyright (c) 2001, Daniel Hartmeier .\" All rights reserved. @@ -66,7 +66,7 @@ unary-op = ( "=" | "!=" | "<" | "<=" | ">" | ">=" ) ( port-name | port-number ) . binary-op = port-number ( "<>" | "><" ) port-number . -flags = "flags" flag-set [ "/" flag-set ] . +flags = "flags" ( flag-set | flag-set "/" flag-set | "/" flag-set ) . flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] . icmp-type = "icmp-type" ( icmp-type-name | icmp-type-number ) @@ -187,7 +187,7 @@ show: pass in proto tcp from any to any port = 25 pass in proto tcp from 10.0.0.0/8 port > 1024 to ! 10.1.2.3 port != 22 .Ed -.Ss flags <a>[/<b>] +.Ss flags <a> | <a>/<b> | /<b> The rule only applies to TCP packets that have the flags <a> set out of set <b>. Flags not specified in <b> are ignored. @@ -203,6 +203,9 @@ This is more restrictive than the previous example. If the second set is not specified, it defaults to FSRPAU. Hence, only packets with SYN set and all other flags unset match this rule. This is more restrictive than the previous example. +.It Em flags /SFRA +If the first set is not specified, it defaults to none. +All of SYN, FIN, RST and ACK must be unset. .El .Ss icmp-type <type> code <code> The rule only applies to ICMP packets with the specified type and code. |