| ALL | The universal wildcard, always matches. | 
| LOCAL | Matches any host whose name does not contain a dot character. | 
| UNKNOWN | Matches any user whose name is unknown, and matches any host whose name or address are unknown. This pattern should be used with care: host names may be unavailable due to temporary name server problems. A network address will be unavailable when the software cannot figure out what type of network it is talking to. | 
| KNOWN | Matches any user whose name is known, and matches any host whose name and address are known. This pattern should be used with care: host names may be unavailable due to temporary name server problems. A network address will be unavailable when the software cannot figure out what type of network it is talking to. | 
| PARANOID | Matches any host whose name does not match its address. When tcpd is built with -DPARANOID (default mode), it drops requests from such clients even before looking at the access control tables. Build without -DPARANOID when you want more control over such requests. | 
| %a (%A) | The client (server) host address. | 
| %c | Client information: user@host, user@address, a host name, or just an address, depending on how much information is available. | 
| %d | The daemon process name (argv[0] value). | 
| %h (%H) | The client (server) host name or address, if the host name is unavailable. | 
| %n (%N) | The client (server) host name (or "unknown" or "paranoid"). | 
| %p | The daemon process id. | 
| %s | Server information: daemon@host, daemon@address, or just a daemon name, depending on how much information is available. | 
| %u | The client user name (or "unknown"). | 
| %% | Expands to a single '%? character. |