- * <config> is either
- * <gid>,[=]<prefix>/<len>[,<junk>]
- * indicating that that gid may allocate addresses in
- * the relevant subspace (<junk> is ignored)
- * if `=' is specified then it's only allowed for the local
- * endpoint address
- * or #...
- * which is a comment
- * or /<config-file-name> or ./<config-file-name> or ../<config-file-name>
- * which refers to a file which contains lines which
- * are each <config>
- * or *
- * which means that anything is permitted
- *
- * Should be run from userv with no-disconnect-hup.
+ * List of additional routes to add for this interface. routes will
+ * be set up on the local system arranging for packets for those
+ * networks to be sent via the created interface. <prefix> must be an
+ * IPv4 address, and mask must be an integer (dotted-quad masks are
+ * not supported). If no additional routes are to be set up, use `-'
+ * or supply an empty argument.
+ *
+ * Each <config> item - whether a line file such as
+ * /etc/userv/ipif-networks, or supplied on the service program
+ * command line - is one of:
+ *
+ * /<config-file-name>
+ * ./<config-file-name>
+ * ../<config-file-name>
+ *
+ * Reads a file which contains lines which are each <config>
+ * items.
+ *
+ * <gid>,[=][-|+]<prefix>/<len>(-|+<prefix>/<len>...)[,<junk>]
+ *
+ * Indicates that <gid> may allocate addresses in the relevant address
+ * range (<junk> is ignored). <gid> must be numeric. To specify a
+ * single host address, you must specify a mask of /32. If `=' is
+ * specified then the specific subrange is only allowed for the local
+ * endpoint address, but not for remote addresses.
+ *
+ * More than one range may be given, with each range prefixed
+ * by + or -. In this case each address range in the rule will
+ * scanned in order, and the first range in the rule that matches
+ * any desired rule will count: if that first matching range is
+ * prefixed by `+' (or nothing) then the rule applies, if it
+ * is prefixed by `-' (or nothing matches), the rule does not.
+ *
+ * *
+ * Means that anything is to be permitted. This should not appear in
+ * /etc/userv/ipif-networks, as that would permit any user on the
+ * system to create any interfaces with any addresses and routes
+ * attached. It is provided so that root can usefully invoke the ipif
+ * service program directly (not via userv), without needing to set up
+ * permissions in /etc/userv/ipif-networks.
+ *
+ * #...
+ *
+ * Comment. Blank lines are also ignored.
+ *
+ * NB: Permission is granted if _any_ config entry matches the request.
+ *
+ * The service program should be run from userv with no-disconnect-hup.