diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index bf3b4e75c..6d5aad84e 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -1339,57 +1339,33 @@ sub supplied( $ ) {
# ensure that it has an appropriate number of columns.
# supply '-' in omitted trailing columns.
-#
-sub split_line( $$ ) {
- my ( $description, $columnsref ) = @_;
-
- my @maxcolumns = ( keys %$columnsref );
- my $maxcolumns = @maxcolumns;
-
- my ( $columns, $pairs, $rest ) = split( ';', $currentline );
-
- fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
- fatal_error "Shorewall Configuration file entries may not contain single quotes, double quotes, single back quotes or backslashes" if $columns =~ /["'`\\]/;
- fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
-
- my @line = split( ' ', $columns );
-
- my $line = @line;
-
- fatal_error "Invalid $description entry (too many columns)" if $line > $maxcolumns;
-
- $line-- while $line > 0 && $line[$line-1] eq '-';
-
- push @line, '-' while @line < $maxcolumns;
-
- if ( supplied $pairs ) {
- my @pairs = split( ' ', $pairs );
-
- for ( @pairs ) {
- fatal_error "Invalid column/value pair ($_)" unless /^(\w+)=(.+)$/;
- my ( $column, $value ) = ( lc $1, $2 );
- fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
- $column = $columnsref->{$column};
- fatal_error "The $1 column already has a value" unless $line[$column] eq '-';
- $line[$column] = $value =~ /^"([^"]+)"$/ ? $1 : $value;
- }
- }
-
- @line;
-}
-
-#
-# Version of 'split_line' used on files with exceptions
+# Handles all of the supported forms of column/pair specification
#
sub split_line1( $$;$ ) {
my ( $description, $columnsref, $nopad) = @_;
my @maxcolumns = ( keys %$columnsref );
my $maxcolumns = @maxcolumns;
-
+ #
+ # First see if there is a semicolon on the line; what follows will be column/value paris
+ #
my ( $columns, $pairs, $rest ) = split( ';', $currentline );
- fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
+ if ( supplied $pairs ) {
+ #
+ # Found it -- be sure there wasn't more than one.
+ #
+ fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
+ } elsif ( $currentline =~ /(.*){(.*)}$/ ) {
+ #
+ # Pairs are enclosed in curly brackets.
+ #
+ $columns = $1;
+ $pairs = $2;
+ } else {
+ $pairs = '';
+ }
+
fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
@@ -1397,7 +1373,7 @@ sub split_line1( $$;$ ) {
$nopad = { COMMENT => 0 } unless $nopad;
- my $first = $line[0];
+ my $first = supplied $line[0] ? $line[0] : '-';
my $npcolumns = $nopad->{$first};
if ( defined $npcolumns ) {
@@ -1416,21 +1392,31 @@ sub split_line1( $$;$ ) {
push @line, '-' while @line < $maxcolumns;
if ( supplied $pairs ) {
- my @pairs = split( ' ', $pairs );
+ $pairs =~ s/^\s*//;
+ $pairs =~ s/\s*$//;
+
+ my @pairs = split( /,?\s+/, $pairs );
for ( @pairs ) {
- fatal_error "Invalid column/value pair ($_)" unless /^(\w+)=(.+)$/;
+ fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
my ( $column, $value ) = ( lc $1, $2 );
fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
$column = $columnsref->{$column};
- fatal_error "The $1 column already has a value" unless $line[$column] eq '-';
- $line[$column] = $value =~ /^"([^"]+)"$/ ? $1 : $value;
+ fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
+ $value = $1 if $value =~ /^"([^"]+)"$/;
+ fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
+ fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
+ $line[$column] = $value;
}
}
@line;
}
+sub split_line($$) {
+ &split_line1( @_, {} );
+}
+
#
# Open a file, setting $currentfile. Returns the file's absolute pathname if the file
# exists, is non-empty and was successfully opened. Terminates with a fatal error
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 0226fcf8e..39ef5b13c 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1037,7 +1037,7 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
#
sub process_tc_filter() {
- my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 'tcfilters file', { interface => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 };
+ my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 };
fatal_error 'CLASS must be specified' if $devclass eq '-';
diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml
index 5ca10a5f2..5a811ca57 100644
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -504,21 +504,51 @@ ACCEPT net:\
as column-name/value
pairs.
- At any point, you can enter a semicolon (';') followed by one or
- more specifications of the form:
+ There is considerable flexibility in how you specify the
+ pairs:
-
- column-name=value
-
+
+
+ At any point, you can enter a semicolon (';') followed by one or
+ more specifications of the following forms:
- The value may optionally be enclosed in double quotes.
+
+ column-name=value
- The following table shows the right-most required column and the
- remaining column names for each of the table-oriented configuration
- files.
+ column-name=>value
+
+ column-name:value
+
+
+ The value may optionally be enclosed in double quotes.
+
+ The pairs must be separated by white space, but you can add a
+ comma adjacent to the values for
+ readability as in:
+
+
+ ; proto=>udp,
+ port=1024
+
+
+
+
+ You can enclose the pairs in curly brackets ("{...}") rather
+ than separating them from columns by a semicolon:
+
+
+ { proto:udp, port:1024
+ }
+
+
+
+
+ The following table shows the column names for each of the
+ table-oriented configuration files.
- Column names are case-insensitive.
+ Column names are case-insensitive.
@@ -576,7 +606,7 @@ ACCEPT net:\
nat
- external,interface,internal,allints,localnat
+ external,interface,internal,allints,local
@@ -630,7 +660,7 @@ ACCEPT net:\
secmarks
- secmark,source,dest,proto,dport,sport,user,mark
+ secmark,chain,source,dest,proto,dport,sport,user,mark
@@ -648,7 +678,7 @@ ACCEPT net:\
tcfilters
- interface,source,dest,proto,dport,sport,tos,length
+ class,source,dest,proto,dport,sport,tos,length
@@ -694,7 +724,13 @@ ACCEPT net:\
#ACTION SOURCE DEST PROTO DEST
# PORT(S)
-DNAT net loc:10.0.0.1 tcp 80 ; mark="88"
+DNAT net loc:10.0.0.1 tcp 80 ; mark="88"
+
+ Here's the same line in several equivalent formats:
+
+ { action=>DNAT, source=>net, dest=>loc:10.0.0.1, proto=>tcp, dport=>80, mark=>88 }
+; action:"DNAT" source:"net" dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88"
+DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }
diff --git a/manpages/shorewall-accounting.xml b/manpages/shorewall-accounting.xml
index 64eaf5b0a..5da421078 100644
--- a/manpages/shorewall-accounting.xml
+++ b/manpages/shorewall-accounting.xml
@@ -165,7 +165,9 @@
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax):
@@ -343,7 +345,7 @@
- DESTINATION - {DESTINATION (dest) - {-|any|all|interface|interface
- PROTOCOL - {PROTOCOL (proto) - {-|any|all|protocol-name|protocol-number|
- DEST PORT(S) - {-|DEST PORT(S) (dport) -
+ {-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...}
@@ -401,8 +403,8 @@
- SOURCE PORT(S) - {-|SOURCE PORT(S) (sport)-
+ {-|any|all|port-name-or-number[,port-name-or-number]...}
@@ -418,7 +420,7 @@
- USER/GROUP - [USER/GROUP (user) - [!][user-name-or-number][:group-name-or-number][+program-name]
@@ -674,7 +676,7 @@
the values -, any and all may be
used as wildcards. Omitted trailing columns are also treated as
- wildcards.
+ wildcard.
diff --git a/manpages/shorewall-blacklist.xml b/manpages/shorewall-blacklist.xml
index e9ad6464c..b2ff8300a 100644
--- a/manpages/shorewall-blacklist.xml
+++ b/manpages/shorewall-blacklist.xml
@@ -26,12 +26,14 @@
The blacklist file is used to perform static blacklisting. You can
blacklist by source address (IP or MAC), or by application.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
- ADDRESS/SUBNET - {-|ADDRESS/SUBNET (networks) -
+ {-|~mac-address|ip-address|address-range|+ipset}
@@ -55,34 +57,32 @@
- PROTOCOL (Optional) -
- {PROTOCOL (proto) - {-|[!]protocol-number|[!]protocol-name}
- If specified, must be a protocol number or a protocol name
- from protocols(5).
+ Optional - If specified, must be a protocol number or a
+ protocol name from protocols(5).
- PORTS (Optional) - {PORTS - {-|[!]port-name-or-number[,port-name-or-number]...}
- May only be specified if the protocol is TCP (6) or UDP (17).
- A comma-separated list of destination port numbers or service names
- from services(5).
+ Optional - may only be specified if the protocol is TCP (6) or
+ UDP (17). A comma-separated list of destination port numbers or
+ service names from services(5).
- OPTIONS (Optional - Added in 4.4.12) -
- {-|{dst|src|whitelist|audit}[,...]}
+ OPTIONS - {-|{dst|src|whitelist|audit}[,...]}
- If specified, indicates whether traffic
- from ADDRESS/SUBNET (Optional - added in 4.4.12. If specified, indicates whether
+ traffic from ADDRESS/SUBNET (src) or traffic to
ADDRESS/SUBNET (dst) should be
blacklisted. The default is src. If
diff --git a/manpages/shorewall-maclist.xml b/manpages/shorewall-maclist.xml
index bc17d6b78..6d573056a 100644
--- a/manpages/shorewall-maclist.xml
+++ b/manpages/shorewall-maclist.xml
@@ -31,7 +31,9 @@
url="shorewall-hosts.html">shorewall-hosts(5) configuration
file.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -73,17 +75,17 @@
- IP ADDRESSES (Optional) -
+ IP ADDRESSES (addresses) -
[address[,address]...]
- If specified, both the MAC and IP address must match. This
- column can contain a comma-separated list of host and/or subnet
- addresses. If your kernel and iptables have iprange match support
- then IP address ranges are also allowed. Similarly, if your kernel
- and iptables include ipset support than set names (prefixed by "+")
- are also allowed.
+ Optional - if specified, both the MAC and IP address must
+ match. This column can contain a comma-separated list of host and/or
+ subnet addresses. If your kernel and iptables have iprange match
+ support then IP address ranges are also allowed. Similarly, if your
+ kernel and iptables include ipset support than set names (prefixed
+ by "+") are also allowed.
diff --git a/manpages/shorewall-nat.xml b/manpages/shorewall-nat.xml
index 45bad9d14..02d13ac8b 100644
--- a/manpages/shorewall-nat.xml
+++ b/manpages/shorewall-nat.xml
@@ -35,7 +35,9 @@
solution that one-to-one NAT.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -101,8 +103,9 @@
- ALL INTERFACES - [Yes|No]
+ ALL INTERFACES (allints) -
+ [Yes|No]If Yes or yes, NAT will be effective from all hosts. If No or
diff --git a/manpages/shorewall-netmap.xml b/manpages/shorewall-netmap.xml
index 7c4eb46aa..1355f7773 100644
--- a/manpages/shorewall-netmap.xml
+++ b/manpages/shorewall-netmap.xml
@@ -31,7 +31,9 @@
support included.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -123,24 +125,23 @@
- PROTO (Optional - Added in Shorewall
- 4.4.23.2) -
+ PROTO -
protocol-number-or-name
- Only packets specifying this protocol will have their IP
- header modified.
+ Optional -- added in Shorewall 4.4.23.2. Only packets
+ specifying this protocol will have their IP header modified.
- DEST PORT(S) (Optional - Added in
- Shorewall 4.4.23.2) -
+ DEST PORT(S) (dport) -
port-number-or-name-list
- Destination Ports. A comma-separated list of Port names (from
- services(5)), port numbers or port
+ Optional - added in Shorewall 4.4.23.2. Destination Ports. A
+ comma-separated list of Port names (from services(5)),
+ port numbers or port
ranges; if the protocol is icmp, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric
@@ -161,14 +162,14 @@
- DEST PORT(S) (Optional - Added in
- Shorewall 4.4.23.2) -
+ SOURCE PORT(S) (sport) -
port-number-or-name-list
- Source port(s). If omitted, any source port is acceptable.
- Specified as a comma-separated list of port names, port numbers or
- port ranges.
+ Optional -- added in Shorewall 4.4.23.2. Source port(s). If
+ omitted, any source port is acceptable. Specified as a
+ comma-separated list of port names, port numbers or port
+ ranges.An entry in this field requires that the PROTO column specify
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
diff --git a/manpages/shorewall-notrack.xml b/manpages/shorewall-notrack.xml
index 6324b9a7f..86b50fd24 100644
--- a/manpages/shorewall-notrack.xml
+++ b/manpages/shorewall-notrack.xml
@@ -27,7 +27,9 @@
connection tracking. Traffic matching entries in this file will not be
tracked.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -101,7 +103,7 @@
- DEST PORT(S) - port-number/service-name-list
+ DEST PORT(S) (dport) - port-number/service-name-listA comma-separated list of port numbers and/or service names
@@ -113,7 +115,7 @@
- SOURCE PORT(S) - port-number/service-name-list
+ SOURCE PORT(S) (sport) - port-number/service-name-listA comma-separated list of port numbers and/or service names
@@ -125,7 +127,7 @@
- USER/GROUP ‒
+ USER/GROUP (user) ‒
[user][:group]
diff --git a/manpages/shorewall-policy.xml b/manpages/shorewall-policy.xml
index 938549bdd..0f12939ad 100644
--- a/manpages/shorewall-policy.xml
+++ b/manpages/shorewall-policy.xml
@@ -51,7 +51,9 @@
in this file.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -204,14 +206,14 @@
- LOG LEVEL (Optional) -
+ LOG LEVEL (loglevel) -
[log-level|ULOG|NFLOG]
- If supplied, each connection handled under the default POLICY
- is logged at that level. If not supplied, no log message is
- generated. See syslog.conf(5) for a description of log
+ Optional - if supplied, each connection handled under the
+ default POLICY is logged at that level. If not supplied, no log
+ message is generated. See syslog.conf(5) for a description of log
levels.You may also specify ULOG or NFLOG (must be in upper case).
@@ -225,7 +227,7 @@
- BURST:LIMIT -
+ BURST:LIMIT (limit) -
[{s|d}:[[name]:]]]rate/{ command.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -47,27 +49,27 @@
- HOST(S) (Optional) - [HOST(S) (hosts) - [-|address[,address]...]
- Comma-separated list of IP/subnet addresses. If your kernel
- and iptables include iprange match support, IP address ranges are
- also allowed.
+ Optional. Comma-separated list of IP/subnet addresses. If your
+ kernel and iptables include iprange match support, IP address ranges
+ are also allowed.If left empty or supplied as "-", 0.0.0.0/0 is assumed.
- OPTIONS (Optional) - [OPTIONS - [-|option[,option]...]
- A comma-separated list of options. The order of the options is
- not important but the list can contain no embedded whitespace. The
- currently-supported options are:
+ Optional. A comma-separated list of options. The order of the
+ options is not important but the list can contain no embedded
+ whitespace. The currently-supported options are:
@@ -133,26 +135,26 @@
- DEST PORT(S) (Optional) ‒
+ DEST PORT(S) (dport) ‒
service-name/port-number-list
- A comma-separated list of port numbers and/or service names
- from /etc/services. May also include port
- ranges of the form
+ Optional. A comma-separated list of port numbers and/or
+ service names from /etc/services. May also
+ include port ranges of the form
low-port:high-port
if your kernel and iptables include port range support.
- SOURCE PORT(S) (Optional) ‒
+ SOURCE PORT(S) (sport) ‒
service-name/port-number-list
- A comma-separated list of port numbers and/or service names
- from /etc/services. May also include port
- ranges of the form
+ Optional. A comma-separated list of port numbers and/or
+ service names from /etc/services. May also
+ include port ranges of the form
low-port:high-port
if your kernel and iptables include port range support.
diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml
index 03de5c65a..d941e79af 100644
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@@ -136,7 +136,9 @@
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -859,7 +861,7 @@
- PROTO (Optional) - {PROTO- {-|tcp:syn|ipp2p|all}
- Protocol - ipp2p* requires
- ipp2p match support in your kernel and iptables. Optional Protocol - ipp2p*
+ requires ipp2p match support in your kernel and iptables. tcp:syn implies tcp plus the SYN flag must be set and the
RST,ACK and FIN flags must be reset.
@@ -881,18 +883,18 @@
- DEST PORT(S) (Optional) -
+ DEST PORT(S) (dport) -
{-|port-name-number-or-range[,port-name-number-or-range]...}
- Destination Ports. A comma-separated list of Port names (from
- services(5)), port numbers or port ranges; if the protocol is
- icmp, this column is interpreted as
- the destination icmp-type(s). ICMP types may be specified as a
- numeric type, a numberic type and code separated by a slash (e.g.,
- 3/4), or a typename. See Optional destination Ports. A comma-separated list of Port
+ names (from services(5)), port numbers or port ranges; if the
+ protocol is icmp, this column is
+ interpreted as the destination icmp-type(s). ICMP types may be
+ specified as a numeric type, a numberic type and code separated by a
+ slash (e.g., 3/4), or a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP.
Note that prior to Shorewall 4.4.19, only a single ICMP type may be
listsed.
@@ -924,15 +926,15 @@
- SOURCE PORT(S) (Optional) -
+ SOURCE PORT(S) (sport) -
{-|port-name-number-or-range[,port-name-number-or-range]...}
- Port(s) used by the client. If omitted, any source port is
- acceptable. Specified as a comma- separated list of port names, port
- numbers or port ranges.
+ Optional port(s) used by the client. If omitted, any source
+ port is acceptable. Specified as a comma- separated list of port
+ names, port numbers or port ranges.Unless you really understand IP, you should leave this
@@ -959,19 +961,19 @@
- ORIGINAL DEST (Optional) -
+ ORIGINAL DEST (origdest) -
[-|address[,address]...[exclusion]|exclusion]
- If ACTION is DNAT[-] or REDIRECT[-]
- then if this column is included and is different from the IP address
- given in the DEST column, then
- connections destined for that address will be forwarded to the IP
- and port specified in the DEST
- column.
+ Optional. If ACTION is DNAT[-] or
+ REDIRECT[-] then if this column is included and is
+ different from the IP address given in the DEST column, then connections destined for
+ that address will be forwarded to the IP and port specified in the
+ DEST column.A comma-separated list of addresses may also be used. This is
most useful with the REDIRECT
@@ -1013,8 +1015,8 @@
- RATE LIMIT (Optional) -
- [-|[{s|RATE LIMIT (rate) - [-|[{s|d}:[[name]:]]]rate/{sec|day}[:burst]
- You may rate-limit the rule by placing a value in this
- column:
+ You may optionally rate-limit the rule by placing a value in
+ this column:rate is the number of connections per
interval (sec or
- USER/GROUP (Optional) -
- [USER/GROUP (user) - [!][user-name-or-number][:group-name-or-number][+program-name]
- This column may only be non-empty if the SOURCE is the
- firewall itself.
+ This optional column may only be non-empty if the SOURCE is
+ the firewall itself.When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
diff --git a/manpages/shorewall-secmarks.xml b/manpages/shorewall-secmarks.xml
index 8030fc34d..24a0fee56 100644
--- a/manpages/shorewall-secmarks.xml
+++ b/manpages/shorewall-secmarks.xml
@@ -34,7 +34,9 @@
The secmarks file is used to associate an SELinux context with
packets. It was added in Shorewall version 4.4.13.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -89,7 +91,7 @@
- CHAIN:STATE -
+ CHAIN:STATE (chain) -
{P|I|F|O|T}[:{N|I|NI|E|ER}]
@@ -216,14 +218,14 @@
- PORT(S) (Optional) - [PORT(S) (dport) - [-|port-name-number-or-range[,port-name-number-or-range]...]
- Destination Ports. A comma-separated list of Port names (from
- services(5)), port numbers or port
- ranges; if the protocol is Optional destination Ports. A comma-separated list of Port
+ names (from services(5)), port numbers or
+ port ranges; if the protocol is icmp, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric
type, a numberic type and code separated by a slash (e.g., 3/4), or
@@ -243,26 +245,26 @@
- SOURCE PORT(S) (Optional) -
+ SOURCE PORT(S) (sport) -
[-|port-name-number-or-range[,port-name-number-or-range]...]
- Source port(s). If omitted, any source port is acceptable.
- Specified as a comma-separated list of port names, port numbers or
- port ranges.
+ Optional source port(s). If omitted, any source port is
+ acceptable. Specified as a comma-separated list of port names, port
+ numbers or port ranges.
- USER (Optional) - [USER - [!][user-name-or-number][:group-name-or-number]
- This column may only be non-empty if the SOURCE is the
- firewall itself.
+ This optional column may only be non-empty if the SOURCE is
+ the firewall itself.When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
diff --git a/manpages/shorewall-tcdevices.xml b/manpages/shorewall-tcdevices.xml
index 1d3f9c7d0..4c03b8742 100644
--- a/manpages/shorewall-tcdevices.xml
+++ b/manpages/shorewall-tcdevices.xml
@@ -91,7 +91,9 @@
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -120,7 +122,7 @@
- IN-BANDWIDTH -
+ IN-BANDWIDTH (in_bandwidth) -
bandwidth[:burst]
@@ -147,7 +149,7 @@
- OUT-BANDWIDTH -
+ OUT-BANDWIDTH (out_bandwidth) -
bandwidth
@@ -178,7 +180,8 @@
- REDIRECTED INTERFACES -
+ REDIRECTED INTERFACES
+ (redirect)-
[interface[,interface]...]
diff --git a/manpages/shorewall-tcfilters.xml b/manpages/shorewall-tcfilters.xml
index dbdd9bab6..9bcf9c6fa 100644
--- a/manpages/shorewall-tcfilters.xml
+++ b/manpages/shorewall-tcfilters.xml
@@ -57,7 +57,9 @@
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -112,25 +114,24 @@
- DEST PORT (Optional) -
- [DEST PORT (dport) - [-|port-name-or-number]
- Destination Ports. A Port name (from services(5)) or a
- port number; if the protocol is Optional destination Ports. A Port name (from services(5)) or
+ a port number; if the protocol is icmp, this column is interpreted as the
destination icmp-type(s).
- SOURCE PORT (Optional) -
+ SOURCE PORT (sport) -
[-|port-name-or-number]
- Source port.
+ Optional source port.
@@ -179,12 +180,12 @@
- LENGTH (Optional) - [LENGTH - [-|number]
- Must be a power of 2 between 32 and 8192 inclusive. Packets
- with a total length that is strictly less than the specified
+ Optional - Must be a power of 2 between 32 and 8192 inclusive.
+ Packets with a total length that is strictly less than the specified
number will match the rule.
diff --git a/manpages/shorewall-tcinterfaces.xml b/manpages/shorewall-tcinterfaces.xml
index bca5ebfdf..52036fc3b 100644
--- a/manpages/shorewall-tcinterfaces.xml
+++ b/manpages/shorewall-tcinterfaces.xml
@@ -104,7 +104,9 @@
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -139,7 +141,7 @@
- IN-BANDWIDTH -
+ IN-BANDWIDTH (in_bandwidth) -
[rate[:burst]]
@@ -169,7 +171,7 @@
- OUT-BANDWIDTH -
+ OUT-BANDWIDTH (out_bandwidth) -
[rate[:[burst][:[latency][:[peek][:[minburst]]]]]]
@@ -203,12 +205,13 @@
url="http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txtshorewall(8), shorewall-accounting(5), shorewall-actions(5),
- shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
- shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
- shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
- shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
- shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
- shorewall-secmarks(5), shorewall-tcpri(5), shorewall-tcrules(5),
- shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+ shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-secmarks(5), shorewall-tcpri(5),
+ shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+ shorewall-zones(5)
diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml
index 8e3d0246a..fed77c4a3 100644
--- a/manpages/shorewall-tcrules.xml
+++ b/manpages/shorewall-tcrules.xml
@@ -38,11 +38,13 @@
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
- MARK/CLASSIFY -
+ MARK/CLASSIFY (mark) -
mark
@@ -550,14 +552,14 @@ SAME $FW 0.0.0.0/0 tcp 80,443
- PORT(S) (Optional) - [PORT(S) (dport) - [-|port-name-number-or-range[,port-name-number-or-range]...]
- Destination Ports. A comma-separated list of Port names (from
- services(5)), port numbers or port
- ranges; if the protocol is Optional destination Ports. A comma-separated list of Port
+ names (from services(5)), port numbers or
+ port ranges; if the protocol is icmp, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric
type, a numberic type and code separated by a slash (e.g., 3/4), or
@@ -577,15 +579,15 @@ SAME $FW 0.0.0.0/0 tcp 80,443
- SOURCE PORT(S) (Optional) -
+ SOURCE PORT(S) (sport) -
[-|port-name-number-or-range[,port-name-number-or-range]...]
- Source port(s). If omitted, any source port is acceptable.
- Specified as a comma-separated list of port names, port numbers or
- port ranges.
+ Optional source port(s). If omitted, any source port is
+ acceptable. Specified as a comma-separated list of port names, port
+ numbers or port ranges.An entry in this field requires that the PROTO column specify
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
@@ -594,14 +596,14 @@ SAME $FW 0.0.0.0/0 tcp 80,443
- USER (Optional) - [USER - [!][user-name-or-number][:group-name-or-number][+program-name]
- This column may only be non-empty if the SOURCE is the
- firewall itself.
+ This optional column may only be non-empty if the SOURCE is
+ the firewall itself.When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
@@ -654,13 +656,13 @@ SAME $FW 0.0.0.0/0 tcp 80,443
- TEST (Optional) - [TEST - [!]value[/mask][:C]
- Defines a test on the existing packet or connection mark. The
- rule will match only if the test returns true.
+ Optional - Defines a test on the existing packet or connection
+ mark. The rule will match only if the test returns true.If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.
@@ -703,15 +705,15 @@ SAME $FW 0.0.0.0/0 tcp 80,443
- LENGTH (Optional) -
+ LENGTH -
[length|[min]:[max]]
- Packet Length. This field, if present allow you to match the
- length of a packet against a specific value or range of values. You
- must have iptables length support for this to work. A range is
- specified in the form
+ Optional - packet Length. This field, if present allow you to
+ match the length of a packet against a specific value or range of
+ values. You must have iptables length support for this to work. A
+ range is specified in the form
min:max where either
min or max (but not both)
may be omitted. If min is omitted, then 0 is
@@ -721,7 +723,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443
- TOS (Optional) -
+ TOS -
tos
@@ -737,7 +739,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443
- CONNBYTES (Optional) -
+ CONNBYTES -
[!]min:[max[:{O|R|B}[:{
role="bold">A}]]]
- Connection Bytes; defines a byte or packet range that the
- connection must fall within in order for the rule to match.
+ Optional connection Bytes; defines a byte or packet range that
+ the connection must fall within in order for the rule to
+ match.A packet matches if the the packet/byte count is within the
range defined by min and
@@ -784,7 +787,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443
- HELPER (Optional) -
+ HELPER -
helper
diff --git a/manpages/shorewall-tos.xml b/manpages/shorewall-tos.xml
index 98c6145ad..a137f46ca 100644
--- a/manpages/shorewall-tos.xml
+++ b/manpages/shorewall-tos.xml
@@ -25,7 +25,9 @@
This file defines rules for setting Type Of Service (TOS)
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -59,7 +61,7 @@
- PROTOCOL -
+ PROTOCOL (proto) -
proto-name-or-number
@@ -68,7 +70,7 @@
- SOURCE PORT(S) -
+ SOURCE PORT(S) (sport) -
{-|port|lowport:highport}
@@ -78,7 +80,7 @@
- DEST PORT(S) -
+ DEST PORT(S) (dport) -
{-|port|lowport:highport}
diff --git a/manpages/shorewall-tunnels.xml b/manpages/shorewall-tunnels.xml
index 90205ceff..bcd5954c0 100644
--- a/manpages/shorewall-tunnels.xml
+++ b/manpages/shorewall-tunnels.xml
@@ -144,16 +144,17 @@
- GATEWAY ZONES (Optional) -
+ GATEWAY ZONES (gateway_zone) -
[zone[,zone]...]
- If the gateway system specified in the third column is a
- standalone host then this column should contain a comma-separated
- list of the names of the zones that the host might be in. This
- column only applies to IPSEC tunnels where it enables ISAKMP traffic
- to flow through the tunnel to the remote gateway.
+ Optional. If the gateway system specified in the third column
+ is a standalone host then this column should contain a
+ comma-separated list of the names of the zones that the host might
+ be in. This column only applies to IPSEC tunnels where it enables
+ ISAKMP traffic to flow through the tunnel to the remote
+ gateway.
diff --git a/manpages/shorewall-zones.xml b/manpages/shorewall-zones.xml
index d9e88bf05..cdfd2d7c1 100644
--- a/manpages/shorewall-zones.xml
+++ b/manpages/shorewall-zones.xml
@@ -28,7 +28,9 @@
/etc/shorewall/interfaces or
/etc/shorewall/hosts.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -191,7 +193,8 @@ c:a,b ipv4
OPTIONS, IN OPTIONS and OUT
- OPTIONS - [option[ (options, in_options, out_options) -
+ [option[,option]...]
diff --git a/manpages6/shorewall6-accounting.xml b/manpages6/shorewall6-accounting.xml
index b8d11818b..981566877 100644
--- a/manpages6/shorewall6-accounting.xml
+++ b/manpages6/shorewall6-accounting.xml
@@ -165,7 +165,9 @@
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -285,7 +287,7 @@
- DESTINATION - {DESTINATION (dest) - {-|any|all|interface|interfaceaddress|address}
@@ -299,7 +301,7 @@
- PROTOCOL - {PROTOCOL (proto) - {-|any|all|protocol-name|protocol-number|
- DEST PORT(S) - {-|DEST PORT(S) (dport) -
+ {-|any|all|ipp2p-option|port-name-or-number[,port-name-or-number]...}
@@ -342,8 +344,8 @@
- SOURCE PORT(S) - {-|SOURCE PORT(S) (sport) -
+ {-|any|all|port-name-or-number[,port-name-or-number]...}
@@ -359,7 +361,7 @@
- USER/GROUP - [USER/GROUP (user) - [!][user-name-or-number][:group-name-or-number][+program-name]
diff --git a/manpages6/shorewall6-blacklist.xml b/manpages6/shorewall6-blacklist.xml
index 445baf54c..d5c8a70d5 100644
--- a/manpages6/shorewall6-blacklist.xml
+++ b/manpages6/shorewall6-blacklist.xml
@@ -26,7 +26,9 @@
The blacklist file is used to perform static blacklisting. You can
blacklist by source address (IP or MAC), or by application.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -55,18 +57,17 @@
- PROTOCOL (Optional) -
- {PROTOCOL (proto) - {-|protocol-number|protocol-name}
- If specified, must be a protocol number or a protocol name
- from protocols(5).
+ Optional - if specified, must be a protocol number or a
+ protocol name from protocols(5).
- PORTS (Optional) - {PORTS (port) - {-|port-name-or-number[,port-name-or-number]...}
@@ -77,12 +78,11 @@
- OPTIONS (Optional - Added in 4.4.12) -
- {-|{dst|src|whitelist|audit}[,...]}
+ OPTIONS - {-|{dst|src|whitelist|audit}[,...]}
- If specified, indicates whether traffic
- from ADDRESS/SUBNET (Optional - added in 4.4.12. If specified, indicates whether
+ traffic from ADDRESS/SUBNET (src) or traffic to
ADDRESS/SUBNET (dst) should be
blacklisted. The default is src. If
diff --git a/manpages6/shorewall6-hosts.xml b/manpages6/shorewall6-hosts.xml
index cf71d1861..9379f439b 100644
--- a/manpages6/shorewall6-hosts.xml
+++ b/manpages6/shorewall6-hosts.xml
@@ -44,7 +44,9 @@
pair.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -59,7 +61,7 @@
- HOST(S) -
+ HOST(S) (hosts)-
interface:{[{address-or-range[,address-or-range]...|+ipset}[exclusion]
@@ -109,13 +111,13 @@
- OPTIONS (Optional) - [option[OPTIONS - [option[,option]...]
- A comma-separated list of options from the following list. The
- order in which you list the options is not significant but the list
- must have no embedded white space.
+ An optional comma-separated list of options from the following
+ list. The order in which you list the options is not significant but
+ the list must have no embedded white space.
diff --git a/manpages6/shorewall6-netmap.xml b/manpages6/shorewall6-netmap.xml
index e64a422e3..f22e170c8 100644
--- a/manpages6/shorewall6-netmap.xml
+++ b/manpages6/shorewall6-netmap.xml
@@ -32,7 +32,9 @@
table support included.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -113,13 +115,13 @@
- NET3 (Optional) -
+ NET3 -
network-address
- Added in Shorewall 4.4.11. If specified, qualifies INTERFACE.
- It specifies a SOURCE network for DNAT rules and a DESTINATON
- network for SNAT rules.
+ Optional - added in Shorewall 4.4.11. If specified, qualifies
+ INTERFACE. It specifies a SOURCE network for DNAT rules and a
+ DESTINATON network for SNAT rules.
@@ -134,13 +136,13 @@
- DEST PORT(S) -
+ DEST PORT(S) (dport) -
port-number-or-name-list
- Destination Ports. A comma-separated list of Port names (from
- services(5)), port numbers or port
- ranges; if the protocol is Destination Ports. An optional comma-separated list of Port
+ names (from services(5)), port numbers or
+ port ranges; if the protocol is icmp, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric
type, a numberic type and code separated by a slash (e.g., 3/4), or
@@ -160,13 +162,13 @@
- DEST PORT(S) -
+ SOURCE PORT(S) (sport) -
port-number-or-name-list
- Source port(s). If omitted, any source port is acceptable.
- Specified as a comma-separated list of port names, port numbers or
- port ranges.
+ Optional source port(s). If omitted, any source port is
+ acceptable. Specified as a comma-separated list of port names, port
+ numbers or port ranges.An entry in this field requires that the PROTO column specify
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
diff --git a/manpages6/shorewall6-notrack.xml b/manpages6/shorewall6-notrack.xml
index 8330880b2..c3e90ab2f 100644
--- a/manpages6/shorewall6-notrack.xml
+++ b/manpages6/shorewall6-notrack.xml
@@ -27,7 +27,9 @@
connection tracking. Traffic matching entries in this file will not be
tracked.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -84,7 +86,7 @@
- DEST PORT(S) - port-number/service-name-list
+ DEST PORT(S) (dport) - port-number/service-name-listA comma-separated list of port numbers and/or service names
@@ -96,7 +98,7 @@
- SOURCE PORT(S) - port-number/service-name-list
+ SOURCE PORT(S) (sport) - port-number/service-name-listA comma-separated list of port numbers and/or service names
@@ -108,7 +110,7 @@
- USER/GROUP ‒
+ USER/GROUP (user) ‒
[user][:group]
diff --git a/manpages6/shorewall6-policy.xml b/manpages6/shorewall6-policy.xml
index 921cfeef5..f74877fa1 100644
--- a/manpages6/shorewall6-policy.xml
+++ b/manpages6/shorewall6-policy.xml
@@ -51,7 +51,9 @@
in this file.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -204,14 +206,14 @@
- LOG LEVEL (Optional) -
+ LOG LEVEL (loglevel) -
[log-level|NFLOG]
- If supplied, each connection handled under the default POLICY
- is logged at that level. If not supplied, no log message is
- generated. See syslog.conf(5) for a description of log
+ Optional - if supplied, each connection handled under the
+ default POLICY is logged at that level. If not supplied, no log
+ message is generated. See syslog.conf(5) for a description of log
levels.You may also specify NFLOG (must be in upper case). This will
@@ -225,7 +227,7 @@
- BURST:LIMIT -
+ BURST:LIMIT (limit) -
[{s|d}:[[name]:]]]rate/{
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -43,27 +45,27 @@
- HOST(S) (Optional) - [HOST(S) - [-|address[,address]...]
- Comma-separated list of IP/subnet addresses. If your kernel
- and ip6tables include iprange match support, IP address ranges are
- also allowed.
+ Optional comma-separated list of IP/subnet addresses. If your
+ kernel and ip6tables include iprange match support, IP address
+ ranges are also allowed.If left empty or supplied as "-", 0.0.0.0/0 is assumed.
- OPTIONS (Optional) - [OPTIONS - [-|option[,option]...]
- A comma-separated list of options. The order of the options is
- not important but the list can contain no embedded whitespace. The
- currently-supported options are:
+ An optional comma-separated list of options. The order of the
+ options is not important but the list can contain no embedded
+ whitespace. The currently-supported options are:
diff --git a/manpages6/shorewall6-rules.xml b/manpages6/shorewall6-rules.xml
index 63ee540db..ce9ecbc85 100644
--- a/manpages6/shorewall6-rules.xml
+++ b/manpages6/shorewall6-rules.xml
@@ -109,7 +109,9 @@
appear in the file then all rules are assumed to be in the NEW
section.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -661,7 +663,7 @@
- PROTO (Optional) - {PROTO - {-|tcp:syn|ipp2p|all}
- Protocol - ipp2p* requires
- ipp2p match support in your kernel and ip6tables. Optional protocol - ipp2p*
+ requires ipp2p match support in your kernel and ip6tables. tcp:syn implies tcp plus the SYN flag must be set and the
RST,ACK and FIN flags must be reset.
@@ -683,18 +685,18 @@
- DEST PORT(S) (Optional) -
+ DEST PORT(S) (dport) -
{-|port-name-number-or-range[,port-name-number-or-range]...}
- Destination Ports. A comma-separated list of Port names (from
- services(5)), port numbers or port ranges; if the protocol is
- icmp, this column is interpreted as
- the destination icmp-type(s). ICMP types may be specified as a
- numeric type, a numberic type and code separated by a slash (e.g.,
- 3/4), or a typename. See Optional destination Ports. A comma-separated list of Port
+ names (from services(5)), port numbers or port ranges; if the
+ protocol is icmp, this column is
+ interpreted as the destination icmp-type(s). ICMP types may be
+ specified as a numeric type, a numberic type and code separated by a
+ slash (e.g., 3/4), or a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP.
Note that prior to Shorewall6 4.4.19, only a single ICMP type may be
listsed.
@@ -726,13 +728,13 @@
- SOURCE PORT(S) (Optional) -
+ SOURCE PORT(S) (sport) -
{-|port-name-number-or-range[,port-name-number-or-range]...}
- Port(s) used by the client. If omitted, any source port is
+ Optional source port(s). If omitted, any source port is
acceptable. Specified as a comma- separated list of port names, port
numbers or port ranges.
@@ -760,7 +762,7 @@
- ORIGINAL DEST (Optional) -
+ ORIGINAL DEST (origdest) -
[-]
@@ -770,8 +772,8 @@
- RATE LIMIT (Optional) -
- [-|[{s|RATE LIMIT (rate) - [-|[{s|d}:[[name]:]]]rate/{sec|day}[:burst]
- You may rate-limit the rule by placing a value in this
- column:
+ You may optionally rate-limit the rule by placing a value in
+ this column:rate is the number of connections per
interval (sec or
- USER/GROUP (Optional) -
- [USER/GROUP (user) - [!][user-name-or-number][:group-name-or-number]
- This column may only be non-empty if the SOURCE is the
- firewall itself.
+ This optional column may only be non-empty if the SOURCE is
+ the firewall itself.When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
diff --git a/manpages6/shorewall6-secmarks.xml b/manpages6/shorewall6-secmarks.xml
index 1281dd4bc..00f05721c 100644
--- a/manpages6/shorewall6-secmarks.xml
+++ b/manpages6/shorewall6-secmarks.xml
@@ -34,7 +34,9 @@
The secmarks file is used to associate an SELinux context with
packets. It was added in Shorewall6 version 4.4.13.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -207,14 +209,14 @@
- PORT(S) (Optional) - [PORT(S) (dport) - [-|port-name-number-or-range[,port-name-number-or-range]...]
- Destination Ports. A comma-separated list of Port names (from
- services(5)), port numbers or port
- ranges; if the protocol is Optional destination Ports. A comma-separated list of Port
+ names (from services(5)), port numbers or
+ port ranges; if the protocol is icmp, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric
type, a numberic type and code separated by a slash (e.g., 3/4), or
@@ -234,26 +236,26 @@
- SOURCE PORT(S) (Optional) -
+ SOURCE PORT(S) (sport) -
[-|port-name-number-or-range[,port-name-number-or-range]...]
- Source port(s). If omitted, any source port is acceptable.
- Specified as a comma-separated list of port names, port numbers or
- port ranges.
+ Optional source port(s). If omitted, any source port is
+ acceptable. Specified as a comma-separated list of port names, port
+ numbers or port ranges.
- USER (Optional) - [USER - [!][user-name-or-number][:group-name-or-number]
- This column may only be non-empty if the SOURCE is the
- firewall itself.
+ This optional column may only be non-empty if the SOURCE is
+ the firewall itself.When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
diff --git a/manpages6/shorewall6-tcdevices.xml b/manpages6/shorewall6-tcdevices.xml
index 93751f9d9..0886de6e5 100644
--- a/manpages6/shorewall6-tcdevices.xml
+++ b/manpages6/shorewall6-tcdevices.xml
@@ -91,7 +91,9 @@
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -121,7 +123,8 @@
- IN-BANDWIDTH - IN-BANDWIDTH (in_bandwidth) -
+ bandwidth[:burst]
@@ -148,7 +151,7 @@
- OUT-BANDWIDTH -
+ OUT-BANDWIDTH (out_bandwidth) -
bandwidth
@@ -179,7 +182,8 @@
- REDIRECTED INTERFACES -
+ REDIRECTED INTERFACES
+ (redirect) -
[interface[,interface]...]
@@ -229,8 +233,8 @@
shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
- shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
- shorewall6-providers(5), shorewall6-route_rules(5),
+ shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5),
+ shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)
diff --git a/manpages6/shorewall6-tcfilters.xml b/manpages6/shorewall6-tcfilters.xml
index 6c67d4078..f595d859b 100644
--- a/manpages6/shorewall6-tcfilters.xml
+++ b/manpages6/shorewall6-tcfilters.xml
@@ -57,7 +57,9 @@
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -108,34 +110,33 @@
- DEST PORT (Optional) -
- [DEST PORT (dport) - [-|port-name-or-number]
- Destination Ports. A Port name (from services(5)) or a
- port number; if the protocol is Optional destination Ports. A Port name (from services(5)) or
+ a port number; if the protocol is icmp, this column is interpreted as the
destination icmp-type(s).
- SOURCE PORT (Optional) -
+ SOURCE PORT (sport) -
[-|port-name-or-number]
- Source port.
+ Optional source port.
- TOS (Optional) - [TOS - [-|tos]
- Specifies the value of the TOS field. The
+ Optional - specifies the value of the TOS field. The
tos value can be any of the
following:
@@ -175,12 +176,12 @@
- LENGTH (Optional) - [LENGTH - [-|number]
- Must be a power of 2 between 32 and 8192 inclusive. Packets
- with a total length that is strictly less than the specified
+ Optional. Must be a power of 2 between 32 and 8192 inclusive.
+ Packets with a total length that is strictly less than the specified
number will match the rule.
diff --git a/manpages6/shorewall6-tcinterfaces.xml b/manpages6/shorewall6-tcinterfaces.xml
index 1992ac20d..27525de7b 100644
--- a/manpages6/shorewall6-tcinterfaces.xml
+++ b/manpages6/shorewall6-tcinterfaces.xml
@@ -104,7 +104,9 @@
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -139,7 +141,7 @@
- IN-BANDWIDTH -
+ IN-BANDWIDTH (in_bandwidth) -
[rate[:burst]]
@@ -169,7 +171,7 @@
- OUT-BANDWIDTH -
+ OUT-BANDWIDTH (out_bandwidth) -
[rate[:[burst][:[latency][:[peek][:[minburst]]]]]]
@@ -204,10 +206,10 @@
shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
- shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
- shorewall6-route_rules(5), shorewall6-routestopped(5),
- shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
- shorewall6-tcpri, shorewall6-tos(5), shorewall6-tunnels(5),
- shorewall6-zones(5)
+ shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+ shorewall6-providers(5), shorewall6-route_rules(5),
+ shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+ shorewall6-secmarks(5), shorewall6-tcpri, shorewall6-tos(5),
+ shorewall6-tunnels(5), shorewall6-zones(5)
diff --git a/manpages6/shorewall6-tcrules.xml b/manpages6/shorewall6-tcrules.xml
index 4b0cd86cf..f81e859a3 100644
--- a/manpages6/shorewall6-tcrules.xml
+++ b/manpages6/shorewall6-tcrules.xml
@@ -38,7 +38,9 @@
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -421,14 +423,14 @@ SAME $FW 0.0.0.0/0 tcp 80,443
- PORT(S) (Optional) - [PORT(S) (dport) - [-|port-name-number-or-range[,port-name-number-or-range]...]
- Destination Ports. A comma-separated list of Port names (from
- services(5)), port numbers or port
- ranges; if the protocol is Optional destination Ports. A comma-separated list of Port
+ names (from services(5)), port numbers or
+ port ranges; if the protocol is ipv6-icmp, this column is interpreted as the
destination icmp-type(s). ICMP types may be specified as a numeric
type, a numberic type and code separated by a slash (e.g., 3/4), or
@@ -448,15 +450,15 @@ SAME $FW 0.0.0.0/0 tcp 80,443
- SOURCE PORT(S) (Optional) -
+ SOURCE PORT(S) (sport) -
[-|port-name-number-or-range[,port-name-number-or-range]...]
- Source port(s). If omitted, any source port is acceptable.
- Specified as a comma-separated list of port names, port numbers or
- port ranges.
+ Optional source port(s). If omitted, any source port is
+ acceptable. Specified as a comma-separated list of port names, port
+ numbers or port ranges.An entry in this field requires that the PROTO column specify
tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
@@ -465,13 +467,13 @@ SAME $FW 0.0.0.0/0 tcp 80,443
- USER (Optional) - [USER - [!][user-name-or-number][:group-name-or-number]
- This column may only be non-empty if the SOURCE is the
- firewall itself.
+ This optional column may only be non-empty if the SOURCE is
+ the firewall itself.When this column is non-empty, the rule applies only if the
program generating the output is running under the effective
@@ -511,13 +513,13 @@ SAME $FW 0.0.0.0/0 tcp 80,443
- TEST(Optional) - [TEST - [!]value[/mask][:C]
- Defines a test on the existing packet or connection mark. The
- rule will match only if the test returns true.
+ Optional. Defines a test on the existing packet or connection
+ mark. The rule will match only if the test returns true.If you don't want to define a test but need to specify
anything in the following columns, place a "-" in this field.
@@ -560,15 +562,15 @@ SAME $FW 0.0.0.0/0 tcp 80,443
- LENGTH (Optional) -
+ LENGTH -
[length|[min]:[max]]
- Packet Length. This field, if present allow you to match the
- length of a packet against a specific value or range of values. You
- must have ip6tables length support for this to work. A range is
- specified in the form
+ Optional packet Length. This field, if present allow you to
+ match the length of a packet against a specific value or range of
+ values. You must have ip6tables length support for this to work. A
+ range is specified in the form
min:max where either
min or max (but not both)
may be omitted. If min is omitted, then 0 is
@@ -594,7 +596,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443
- CONNBYTES (Optional) -
+ CONNBYTES -
[!]min:[max[:{O|R|B}[:{
role="bold">A}]]]
- Connection Bytes; defines a byte or packet range that the
- connection must fall within in order for the rule to match.
+ Optional connection Bytes; defines a byte or packet range that
+ the connection must fall within in order for the rule to
+ match.A packet matches if the the packet/byte count is within the
range defined by min and
@@ -641,17 +644,17 @@ SAME $FW 0.0.0.0/0 tcp 80,443
- HELPER (Optional) -
+ HELPER -
helper
- Names a Netfiler protocol helper module
- such as , ,
- , etc. A packet will match if it was accepted
- by the named helper module. You can also append "-" and a port
- number to the helper module name (e.g., ftp-21) to specify the port number that the
- original connection was made on.
+ Optional. Names a Netfiler protocol
+ helper module such as ,
+ , , etc. A packet will
+ match if it was accepted by the named helper module. You can also
+ append "-" and a port number to the helper module name (e.g.,
+ ftp-21) to specify the port number
+ that the original connection was made on.Example: Mark all FTP data connections with mark
4:#MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
diff --git a/manpages6/shorewall6-tunnels.xml b/manpages6/shorewall6-tunnels.xml
index 64579d0c5..1744aab6f 100644
--- a/manpages6/shorewall6-tunnels.xml
+++ b/manpages6/shorewall6-tunnels.xml
@@ -30,7 +30,9 @@
url="http://www.shorewall.net/VPNBasics.html">http://www.shorewall.net/VPNBasics.html
for details.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -131,16 +133,17 @@
- GATEWAY ZONES (Optional) -
+ GATEWAY ZONES (gateway_zone) -
[zone[,zone]...]
- If the gateway system specified in the third column is a
- standalone host then this column should contain a comma-separated
- list of the names of the zones that the host might be in. This
- column only applies to IPSEC tunnels where it enables ISAKMP traffic
- to flow through the tunnel to the remote gateway.
+ Optional. If the gateway system specified in the third column
+ is a standalone host then this column should contain a
+ comma-separated list of the names of the zones that the host might
+ be in. This column only applies to IPSEC tunnels where it enables
+ ISAKMP traffic to flow through the tunnel to the remote
+ gateway.
diff --git a/manpages6/shorewall6-zones.xml b/manpages6/shorewall6-zones.xml
index 573cf465a..d41e5f6fd 100644
--- a/manpages6/shorewall6-zones.xml
+++ b/manpages6/shorewall6-zones.xml
@@ -28,7 +28,9 @@
/etc/shorewall6/interfaces or
/etc/shorewall6/hosts.
- The columns in the file are as follows.
+ The columns in the file are as follows (where the column name is
+ followed by a different name in parentheses, the different name is used in
+ the alternate specification syntax).
@@ -189,7 +191,8 @@ c:a,b ipv6
OPTIONS, IN OPTIONS and OUT
- OPTIONS - [option[ (options, in_options, out_options) -
+ [option[,option]...]