auth: Allow subnet ranges in NetInfo and NetRestrict

[openafs.git] / doc / man-pages / pod5 / NetRestrict.pod

diff --git a/doc/man-pages/pod5/NetRestrict.pod b/doc/man-pages/pod5/NetRestrict.pod
index 471b025..f5d76d9 100644 (file)
--- a/doc/man-pages/pod5/NetRestrict.pod
+++ b/doc/man-pages/pod5/NetRestrict.pod
@@ -14,9 +14,9 @@ to talk to other database servers.
 =head2 FORMAT
 
 The F<NetRestrict> file is in ASCII format. One IP address appears on each
-line, in dotted decimal format. The order of the addresses is not
-significant. There is currently no mechanism to specify a range of
-addresses or a wildcard; each IP address must be listed individually.
+line, in dotted decimal format.  To specify a network instead, use a
+slash (C</>) followed by a subnet length.  The order of the addresses is
+not significant.
 
 =head2 Client NetRestrict
 
@@ -70,6 +70,19 @@ the peer processes on other database machines in the cell.
 To display the File Server interface addresses registered in the VLDB, use
 the B<vos listaddrs> command.
 
+=head1 EXAMPLES
+
+If the File Server should not use the IP address 192.168.1.1 on one of
+its private interfaces, then the F<NetRestrict> file should contain
+the following:
+
+   196.168.1.1
+
+In order to prevent the usage of any 192.168/16 addresses on its local
+interfaces, the F<NetRestrict> file should contain:
+
+   196.168.0.0/16
+
 =head1 SEE ALSO
 
 L<NetInfo(5)>,