From 17eae4adeea4628520d461a9d22052d1882e8f53 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Tue, 22 Jan 2013 09:11:15 -0800
Subject: [PATCH] Update the description of BLACKLISTNEWONLY to match the
 implementation.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/manpages/shorewall.conf.xml   |  9 +++++----
 Shorewall6/manpages/shorewall6.conf.xml | 10 +++++++---
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index 4a0383ab5..efaee8096 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -424,10 +424,11 @@
         <listitem>
           <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
           role="bold">yes</emphasis>, blacklists are only consulted for new
-          connections. That includes entries in the <ulink
-          url="???">shorewall-blrules</ulink> (5) file and in the BLACKLIST
-          section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
-          (5).</para>
+          connections and for packets in the INVALID connection state (such as
+          TCP SYN,ACK when there has been no corresponding SYN). That includes
+          entries in the <ulink url="???">shorewall-blrules</ulink> (5) file
+          and in the BLACKLIST section of <ulink
+          url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>
 
           <para>When set to <emphasis role="bold">No</emphasis> or <emphasis
           role="bold">no</emphasis>, blacklists are consulted for every packet
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index 13c93621e..a0a044ef1 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -356,9 +356,13 @@
         <listitem>
           <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
           role="bold">yes</emphasis>, blacklists are only consulted for new
-          connections. This includes entries in the <ulink
-          url="???">shorewall-blrules</ulink> (5) file and in the BLACKLIST
-          section of <ulink
+          connections, for packets in the INVALID connection state (such as a
+          TCP SYN,ACK when there has been no corresponding SYN), and for
+          packets that are UNTRACKED due to entries in <ulink
+          url="shorewall6-conntrack.html">shorewall6-conntrack</ulink>(5).
+          This includes entries in the <ulink
+          url="shorewall6-blrules.html">shorewall6-blrules</ulink> (5) file
+          and in the BLACKLIST section of <ulink
           url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>
 
           <para>When set to <emphasis role="bold">No</emphasis> or <emphasis