From 06ef7596cde557d56d5b09e5724749372ce5b352 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 26 Dec 2014 11:57:24 -0800 Subject: [PATCH] Document the -c 'dump' option Signed-off-by: Tom Eastep --- Shorewall-lite/manpages/shorewall-lite.xml | 5 + Shorewall/manpages/shorewall.xml | 75 ++--- Shorewall6-lite/manpages/shorewall6-lite.xml | 5 + Shorewall6/manpages/shorewall6.xml | 315 +++++++++---------- 4 files changed, 207 insertions(+), 193 deletions(-) diff --git a/Shorewall-lite/manpages/shorewall-lite.xml b/Shorewall-lite/manpages/shorewall-lite.xml index 969d17f6b..b943591ea 100644 --- a/Shorewall-lite/manpages/shorewall-lite.xml +++ b/Shorewall-lite/manpages/shorewall-lite.xml @@ -116,6 +116,8 @@ + + @@ -666,6 +668,9 @@ The -l option causes the rule number for each Netfilter rule to be displayed. + + The option causes the route cache to be + dumped in addition to the other routing information. diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml index 3c2191458..69fc426f7 100644 --- a/Shorewall/manpages/shorewall.xml +++ b/Shorewall/manpages/shorewall.xml @@ -170,6 +170,8 @@ + + @@ -881,8 +883,7 @@ and causes a warning message to be issued if the line current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is - set to Yes in - shorewall.conf(5). @@ -921,20 +922,21 @@ compile -- -) to suppress the 'Compiling...' message normally generated by /sbin/shorewall. - When is specified, the compilation is being - performed on a system other than where the compiled script will run. - This option disables certain configuration options that require the - script to be compiled where it is to be run. The use of - requires the presence of a configuration file named capabilities - which may be produced using the command shorewall-lite show -f - capabilities > capabilities on a system with Shorewall Lite + When is specified, the compilation is + being performed on a system other than where the compiled script + will run. This option disables certain configuration options that + require the script to be compiled where it is to be run. The use of + requires the presence of a configuration file + named capabilities which may be produced using + the command shorewall-lite show -f capabilities > + capabilities on a system with Shorewall Lite installed The option was added in Shorewall 4.5.17 - and causes conditional compilation of a script. The - script specified by pathname (or implied - if pathname is omitted) is compiled - if it doesn't exist or if there is any file in the + and causes conditional compilation of a script. The script specified + by pathname (or implied if pathname is omitted) is compiled if it + doesn't exist or if there is any file in the directory or in a directory on the CONFIG_PATH that has a modification time later than the file to be compiled. When no compilation is needed, a message is issued and an @@ -951,11 +953,11 @@ and causes a Perl stack trace to be included with each compiler-generated error and warning message. - The option was added in Shorewall 4.6.0 and - causes a warning message to be issued if the line current line contains - alternative input specifications following a semicolon (";"). Such - lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - The option was added in Shorewall 4.6.0 + and causes a warning message to be issued if the line current line + contains alternative input specifications following a semicolon + (";"). Such lines will be handled incorrectly if INLINE_MATCHES is + set to Yes in shorewall.conf(5). @@ -1028,6 +1030,9 @@ The -l option causes the rule number for each Netfilter rule to be displayed. + + The option causes the route cache to be + dumped in addition to the other routing information. @@ -1189,11 +1194,11 @@ and causes a Perl stack trace to be included with each compiler-generated error and warning message. - The option was added in Shorewall 4.6.0 and - causes a warning message to be issued if the line current line contains - alternative input specifications following a semicolon (";"). Such - lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - The option was added in Shorewall 4.6.0 + and causes a warning message to be issued if the line current line + contains alternative input specifications following a semicolon + (";"). Such lines will be handled incorrectly if INLINE_MATCHES is + set to Yes in shorewall.conf(5). @@ -1283,10 +1288,10 @@ compiler-generated error and warning message. The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the line current line contains - alternative input specifications following a semicolon (";"). Such - lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall.conf(5). The option was added in Shorewall 4.5.3 @@ -1352,10 +1357,10 @@ compiler-generated error and warning message. The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the line current line contains - alternative input specifications following a semicolon (";"). Such - lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall.conf(5). @@ -1407,10 +1412,10 @@ compiler-generated error and warning message. The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the line current line contains - alternative input specifications following a semicolon (";"). Such - lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall.conf(5). The option was added in Shorewall 4.6.5 diff --git a/Shorewall6-lite/manpages/shorewall6-lite.xml b/Shorewall6-lite/manpages/shorewall6-lite.xml index ed6fc3f59..e07d58281 100644 --- a/Shorewall6-lite/manpages/shorewall6-lite.xml +++ b/Shorewall6-lite/manpages/shorewall6-lite.xml @@ -116,6 +116,8 @@ + + @@ -668,6 +670,9 @@ The option causes the rule number for each Netfilter rule to be displayed. + + The option causes the route cache to be + dumped in addition to the other routing information. diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml index d13dedba9..2f0851eb9 100644 --- a/Shorewall6/manpages/shorewall6.xml +++ b/Shorewall6/manpages/shorewall6.xml @@ -163,6 +163,8 @@ + + @@ -782,11 +784,11 @@ /etc/shorewall6 is assumed. - The option causes the - compiler to look for a file named capabilities. This file is - produced using the command shorewall6-lite - show -f capabilities > capabilities on a system with - Shorewall6 Lite installed. + The option causes the compiler to look for + a file named capabilities. This file is produced using the command + shorewall6-lite show -f capabilities > + capabilities on a system with Shorewall6 Lite + installed. The option causes the compiler to be run under control of the Perl debugger. @@ -804,10 +806,10 @@ compiler-generated error and warning message. The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the line current line contains - alternative input specifications following a semicolon (";"). Such - lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). @@ -840,20 +842,20 @@ normally generated by /sbin/shorewall6. When is specified, the compilation is - being performed on a system other than where the compiled script will - run. This option disables certain configuration options that require - the script to be compiled where it is to be run. The use of - requires the presence of a configuration file named - capabilities which may be produced using the - command shorewall6-lite show -f capabilities > + being performed on a system other than where the compiled script + will run. This option disables certain configuration options that + require the script to be compiled where it is to be run. The use of + requires the presence of a configuration file + named capabilities which may be produced using + the command shorewall6-lite show -f capabilities > capabilities on a system with Shorewall6 Lite installed. - The option was added in - Shorewall 4.5.17 and causes conditional compilation of a script. The - script specified by pathname (or implied - if pathname is omitted) is compiled - if it doesn't exist or if there is any file in the + The option was added in Shorewall 4.5.17 + and causes conditional compilation of a script. The script specified + by pathname (or implied if pathname is omitted) is compiled if it + doesn't exist or if there is any file in the directory or in a directory on the CONFIG_PATH that has a modification time later than the file to be compiled. When no compilation is needed, a message is issued and an @@ -871,10 +873,10 @@ compiler-generated error and warning message. The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the line current line contains - alternative input specifications following a semicolon (";"). Such - lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). @@ -939,15 +941,18 @@ Produces a verbose report about the firewall configuration for the purpose of problem analysis. - The option causes actual - packet and byte counts to be displayed. Without that option, these - counts are abbreviated. + The option causes actual packet and byte + counts to be displayed. Without that option, these counts are + abbreviated. The option causes any MAC addresses included in Shorewall6 log messages to be displayed. - The option causes the rule - number for each Netfilter rule to be displayed. + The option causes the rule number for each + Netfilter rule to be displayed. + + The option causes the route cache to be + dumped in addition to the other routing information. @@ -1002,8 +1007,8 @@ Deletes /var/lib/shorewall6/filename and /var/lib/shorewall6/save - . If no filename is - given then the file specified by RESTOREFILE in . If no filename is given then the + file specified by RESTOREFILE in shorewall6.conf(5) is assumed. @@ -1062,15 +1067,15 @@ Shorewall6 Lite on system is started via ssh. - If is specified and the - start command succeeds, then the - remote Shorewall6-lite configuration is saved by executing + If is specified and the start command succeeds, then the remote + Shorewall6-lite configuration is saved by executing shorewall6-lite save via ssh. - if is included, the - command shorewall6-lite show capabilities -f - > /var/lib/shorewall6-lite/capabilities is executed - via ssh then the generated file is copied to + if is included, the command + shorewall6-lite show capabilities -f > + /var/lib/shorewall6-lite/capabilities is executed via ssh + then the generated file is copied to directory using scp. This step is performed before the configuration is compiled. @@ -1083,10 +1088,10 @@ compiler-generated error and warning message. The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the line current line contains - alternative input specifications following a semicolon (";"). Such - lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). @@ -1111,14 +1116,13 @@ shorewall6.conf(5) and produces an audible alarm when new Shorewall6 messages are logged. - The option causes the MAC - address of each packet source to be displayed if that information is - available. The refresh-interval specifies - the time in seconds between screen refreshes. You can enter a - negative number by preceding the number with "--" (e.g., - shorewall6 logwatch -- -30). In this case, when a - packet count changes, you will be prompted to hit any key to resume - screen refreshes. + The option causes the MAC address of each packet + source to be displayed if that information is available. The + refresh-interval specifies the time in + seconds between screen refreshes. You can enter a negative number by + preceding the number with "--" (e.g., shorewall6 logwatch + -- -30). In this case, when a packet count changes, you + will be prompted to hit any key to resume screen refreshes. @@ -1156,10 +1160,10 @@ refresh only recreates the chains specified in the command while restart recreates the entire Netfilter ruleset.When no chain name is given to the - refresh command, the mangle table is - refreshed along with the blacklist chain (if any). This allows you - to modify /etc/shorewall6/tcrulesand install - the changes using refresh. + refresh command, the mangle table is refreshed + along with the blacklist chain (if any). This allows you to modify + /etc/shorewall6/tcrulesand install the changes + using refresh. The listed chains are assumed to be in the filter table. You can refresh chains in other tables by prefixing the chain name with @@ -1179,10 +1183,10 @@ compiler-generated error and warning message. The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the line current line contains - alternative input specifications following a semicolon (";"). Such - lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). The - option was added in Shorewall 4.5.3 @@ -1192,6 +1196,7 @@ Refresh the 'net-fw' chain in the filter table and the 'net_dnat' chain in the nat table + shorewall6 refresh net-fw nat:net_dnat @@ -1225,16 +1230,16 @@ ssh. If is specified and the - restart command succeeds, then the - remote Shorewall6-lite configuration is saved by executing + restart command succeeds, then the remote + Shorewall6-lite configuration is saved by executing shorewall6-lite save via ssh. - if is included, the - command shorewall6-lite show capabilities -f - > /var/lib/shorewall6-lite/capabilities is executed - via ssh then the generated file is copied to - directory using scp. This step is performed - before the configuration is compiled. + if is included, the command + shorewall6-lite show capabilities -f > + /var/lib/shorewall6-lite/capabilities is executed via ssh + then the generated file is copied to directory + using scp. This step is performed before the configuration is + compiled. If is included, it specifies that the root user on system is named @@ -1245,10 +1250,10 @@ compiler-generated error and warning message. The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the line current line contains - alternative input specifications following a semicolon (";"). Such - lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). @@ -1269,9 +1274,9 @@ restart - Restart is similar to shorewall6 - start except that it assumes that the firewall is already - started. Existing connections are maintained. If a + Restart is similar to shorewall6 start + except that it assumes that the firewall is already started. + Existing connections are maintained. If a directory is included in the command, Shorewall6 will look in that directory first for configuration files. @@ -1289,8 +1294,8 @@ The option suppresses the compilation step and simply reused the compiled script which last started/restarted Shorewall, provided that /etc/shorewall6 - and its contents have not - been modified since the last start/restart. + and its contents have not been modified since the last + start/restart. The option was added in Shorewall 4.4.20 and performs the compilation step unconditionally, overriding the @@ -1304,10 +1309,10 @@ compiler-generated error and warning message. The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the line current line contains - alternative input specifications following a semicolon (";"). Such - lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). The option was added in Shorewall 4.6.5 @@ -1325,11 +1330,11 @@ Restore Shorewall6 to a state saved using the - shorewall6 save command. Existing connections - are maintained. The filename names a restore - file in /var/lib/shorewall6 - created using shorewall6 save; - if no filename is given then Shorewall6 will be + shorewall6 save command. Existing connections are + maintained. The filename names a restore file + in /var/lib/shorewall6 + created using shorewall6 save; if no + filename is given then Shorewall6 will be restored from the file specified by the RESTOREFILE option in shorewall6.conf(5). @@ -1343,8 +1348,8 @@ The option was added in Shorewall 4.6.5. If the option was specified during - shorewall6 save, then the counters saved by - that operation will be restored. + shorewall6 save, then the counters saved by that + operation will be restored. @@ -1365,8 +1370,7 @@ If there are files in the CONFIG_PATH that were modified after the current firewall script was generated, the following warning - message is issued before the script's run command is - executed: + message is issued before the script's run command is executed: WARNING: /var/lib/shorewall6/firewall is not up to date @@ -1378,15 +1382,15 @@ Only allowed if Shorewall6 is running. The current configuration is saved in /var/lib/shorewall6/safe-restart - (see the save - command below) then a shorewall6 restart is - done. You will then be prompted asking if you - want to accept the new configuration or not. If you answer "n" or if - you fail to answer within 60 seconds (such as when your new - configuration has disabled communication with your terminal), the - configuration is restored from the saved configuration. If a - directory is given, then Shorewall6 will look in that directory - first when opening configuration files. + (see the save command + below) then a shorewall6 restart is done. You + will then be prompted asking if you want to accept the new + configuration or not. If you answer "n" or if you fail to answer + within 60 seconds (such as when your new configuration has disabled + communication with your terminal), the configuration is restored + from the saved configuration. If a directory is given, then + Shorewall6 will look in that directory first when opening + configuration files. Beginning with Shorewall 4.5.0, you may specify a different timeout value using the @@ -1425,8 +1429,8 @@ The dynamic blacklist is stored in - /var/lib/shorewall6/save. - The state of the firewall is stored in + /var/lib/shorewall6/save. The state of the firewall is + stored in /var/lib/shorewall6/filename for use by the shorewall6 restore and shorewall6 -f start commands. If filename @@ -1463,10 +1467,10 @@ Added in Shorewall 4.6.2. Displays the dynamic chain along with any chains produced by entries in - shorewall-blrules(5).The - option is passed directly through to ip6tables and causes - actual packet and byte counts to be displayed. Without this - option, those counts are abbreviated. + shorewall-blrules(5).The option is passed + directly through to ip6tables and causes actual packet and + byte counts to be displayed. Without this option, those counts + are abbreviated. @@ -1475,9 +1479,9 @@ Displays your kernel/ip6tables capabilities. The - option causes the display - to be formatted as a capabilities file for use with - shorewall6 compile -e. + option causes the display to be formatted + as a capabilities file for use with shorewall6 + compile -e. @@ -1487,32 +1491,29 @@ The rules in each chain are - displayed using the ip6tables - -L chain -n -v command. If no - chain is given, all of the chains in the - filter table are displayed. The option is - passed directly through to ip6tables and causes actual packet - and byte counts to be displayed. Without this option, those - counts are abbreviated. - The option specifies the - Netfilter table to display. The default is ip6tables -L + chain -n + -v command. If no chain is + given, all of the chains in the filter table are displayed. + The option is passed directly through to + ip6tables and causes actual packet and byte counts to be + displayed. Without this option, those counts are abbreviated. + The option specifies the Netfilter table + to display. The default is filter. - The ('brief') option - causes rules which have not been used (i.e. which have zero - packet and byte counts) to be omitted from the output. Chains - with no rules displayed are also omitted from the - output. + The ('brief') option causes rules + which have not been used (i.e. which have zero packet and byte + counts) to be omitted from the output. Chains with no rules + displayed are also omitted from the output. - The option causes - the rule number for each Netfilter rule to be - displayed. + The option causes the rule number + for each Netfilter rule to be displayed. - If the option and - the keyword are both omitted and any of - the listed chains do not exist, a - usage message is displayed. + If the option and the + keyword are both omitted and any of the + listed chains do not exist, a usage + message is displayed. @@ -1577,9 +1578,9 @@ Displays the last 20 Shorewall6 messages from the log file specified by the LOGFILE option in shorewall6.conf(5). - The option causes the MAC - address of each packet source to be displayed if that - information is available. + The option causes the MAC address of each + packet source to be displayed if that information is + available. @@ -1597,11 +1598,11 @@ Displays the Netfilter mangle table using the command - ip6tables -t mangle -L -n - -v.The option - is passed directly through to ip6tables and causes actual - packet and byte counts to be displayed. Without this option, - those counts are abbreviated. + ip6tables -t mangle -L -n -v.The + option is passed directly through to + ip6tables and causes actual packet and byte counts to be + displayed. Without this option, those counts are + abbreviated. @@ -1665,24 +1666,22 @@ only if they are allowed by the firewall rules or policies. If a directory is included in the command, Shorewall6 will look in that directory first - for configuration files. If is - specified, the saved configuration specified by the RESTOREFILE - option in -f is specified, the + saved configuration specified by the RESTOREFILE option in shorewall6.conf(5) will be restored if that saved configuration exists and has been modified more recently than the files in /etc/shorewall6. When is given, a directory may - not be specified. + is given, a directory may not + be specified. Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option was added to shorewall6.conf(5). When LEGACY_FASTSTART=No, the modification times of files in - /etc/shorewall6 are - compared with that of /var/lib/shorewall6/firewall - (the compiled script that last started/restarted the - firewall). + /etc/shorewall6 are compared + with that of /var/lib/shorewall6/firewall (the + compiled script that last started/restarted the firewall). The option causes Shorewall6 to avoid updating the routing table(s). @@ -1699,18 +1698,18 @@ compiler-generated error and warning message. The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the line current line contains - alternative input specifications following a semicolon (";"). Such - lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). The option was added in Shorewall 4.6.5 and is only meaningful when the option is also specified. If the previously-saved configuration is restored, and if the option was also specified in the - save command, then the packet and byte - counters will be restored along with the chains and rules. + save command, then the packet and byte counters + will be restored along with the chains and rules. @@ -1761,9 +1760,9 @@ state. If an error occurs during the restart phase, then a shorewall6 restore is performed using the saved configuration. If an error occurs during - the start phase, then Shorewall6 - is cleared. If the start/ - restart succeeds and a + the start phase, then Shorewall6 is + cleared. If the start/ restart succeeds and a timeout is specified then a clear or restore is performed after timeout @@ -1815,10 +1814,10 @@ directory. The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the line current line contains - alternative input specifications following a semicolon (";"). Such - lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall6.conf(5). The option was added in Shorewall 4.6.0.