.RB [ \- \c
.IR address | \c
.BR / \c
-.IR mask ]| \c
+.IR prefix-length ]| \c
.BR local | any
.RB [ : \c
.IR port [ \c
.PP
(The spaces in the above are optional.)
.PP
-The leading sign says whether
-matching addresses should be
+The leading sign says whether matching addresses should be
.I accepted
.RB (` + ')
or
Matches the address of one of the machine's network interfaces.
.TP
.I address
-Matches just the given address
+Matches just the given IPv4 or IPv6 address. An
+.I address
+may be enclosed in square brackets; IPv6 addresses must be so enclosed,
+because colons are significant in the rest of the ACL syntax.
.TP
.IB address \- address
Matches any address which falls in the given range. Addresses are
compared lexicographically, with octets to the left given precedence
over octets to the right.
.TP
-.IB address / mask
-Matches an address in the given network. The
-.I mask
-may be a netmask in dotted-quad form, or a one-bit-count.
+.IB address / prefix-length
+Matches an address in the given network.
.PP
The port portion may be omitted (which means `match any port'), or may
be a single