Doc updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6654 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-04-13 22:08:20 +02:00 · 2007-06-23 17:08:26 +00:00 · 2007-06-23 17:08:26 +00:00 · 1d59d1ce26
commit 1d59d1ce26
parent 582e802efc
4 changed files with 103 additions and 51 deletions
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@ -401,6 +401,32 @@ Reject:REJECT   #Default Action for REJECT policy</programlisting>
          2.6.14).</member>
        </simplelist>
      </listitem>
      <listitem>
        <para>MARK (Added in Shorewall 3.4.4)</para>
        <para><simplelist>
            <member>[!]&lt;<emphasis>value</emphasis>&gt;[/&lt;<emphasis>mask</emphasis>&gt;][:C]</member>
          </simplelist></para>
        <para>Defines a test on the existing packet or connection mark. The
        rule will match only if the test returns true.</para>
        <para>If you don’t want to define a test but need to specify anything
        in the following columns, place a "-" in this field.<simplelist>
            <member> ! — Inverts the test (not equal)</member>
            <member>&lt;<emphasis>value</emphasis>&gt; — Value of the packet
            or connection mark.</member>
            <member>&lt;<emphasis>mask</emphasis>&gt; —A mask to be applied to
            the mark before testing.</member>
            <member>:C — Designates a connection mark. If omitted, the packet
            mark’s value is tested. This option is only supported by
            Shorewall-perl</member>
          </simplelist></para>
      </listitem>
    </itemizedlist>
    <para>Omitted column entries should be entered using a dash ("-").</para>
--- a/docs/Shorewall-4.xml
+++ b/docs/Shorewall-4.xml
@ -141,6 +141,10 @@
      <listitem>
        <para>Perl File::Temp Module</para>
      </listitem>
      <listitem>
        <para>Perl Getopt::Long Module</para>
      </listitem>
    </itemizedlist>
  </section>
--- a/docs/Shorewall-perl.xml
+++ b/docs/Shorewall-perl.xml
@ -38,10 +38,10 @@
    <title>Shorewall-perl - What is it?</title>
    <para>Shorewall-perl is a companion product to Shorewall. It requires
-    Shorewall 3.4.2 or later.</para>
+    Shorewall 3.4.2 or later (Shorewall 3.4.4 or later recommended).</para>
    <para>Shorewall-perl contains a re-implementation of the Shorewall
-    compiler written in Perl. The advantages of using Shorewall-perl are over
+    compiler written in Perl. The advantages of using Shorewall-perl over
    Shorewall-shell (the shell-based compiler included in earlier Shorewall
    3.x releases) are:</para>
@ -119,7 +119,9 @@
          <listitem>
            <para>BRIDGING=Yes is not supported. The kernel code necessary to
-            support this option was removed in Linux kernel 2.6.20.</para>
+            support this option was removed in Linux kernel 2.6.20. <ulink
            url="bridge-Shorewall-perl.html">Alternative bridge
            support</ulink> is provided by Shorewall-perl.</para>
          </listitem>
          <listitem>
@ -129,16 +131,6 @@
            addrtype match requirement is relaxed.</para>
          </listitem>
          <listitem>
            <para>Because the compiler is now written in Perl, your
            compile-time extension scripts from earlier versions will no
            longer work. For now, if you want to use extension scripts, you
            will need to read the Perl code to see how the compiler operates
            internally. I will produce documentation before the first official
            release. Compile-time extension scripts are executed using the
            Perl 'do FILE' mechanism.</para>
          </listitem>
          <listitem>
            <para>The 'refresh' command is now synonymous with
            'restart'.</para>
@ -207,20 +199,21 @@
              <listitem>
                <para>There is only a single "pass as-is to iptables" argument
-                (so you must quote that par</para>
+                (so you must quote that part).</para>
              </listitem>
            </itemizedlist>
            <para>Example:</para>
-            <programlisting>    log_rule_limit
+            <programlisting>    log_rule_limit(
                   'info' , 
                   $chainref , 
                   $chainref-&gt;{name},
                   'DROP' , 
                   '',        #Limit
                   '' ,       #Log tag
-              'add';         </programlisting>
+                   'add',     #Command
                   '-p tcp'); #Added 'as-is' to the generated rule</programlisting>
          </listitem>
          <listitem>
@ -254,13 +247,14 @@
          </listitem>
          <listitem>
-            <para>Currently, support for ipsets is untested. That will change
+            <para>Currently, support for ipsets is only lightly tested (any
-            with future pre-releases but one thing is certain -- Shorewall is
+            volunteers?). That will change with future pre-releases but one
-            now out of the ipset load/reload business. With scripts generated
+            thing is certain -- Shorewall is now out of the ipset load/reload
-            by the Perl-based Compiler, the Netfilter ruleset is never
+            business. With scripts generated by the Perl-based Compiler, the
-            cleared. That means that there is no opportunity for Shorewall to
+            Netfilter ruleset is never cleared. That means that there is no
-            load/reload your ipsets since that cannot be done while there are
+            opportunity for Shorewall to load/reload your ipsets since that
-            any current rules using ipsets.</para>
+            cannot be done while there are any current rules using
            ipsets.</para>
            <para>So:</para>
@ -311,9 +305,10 @@ fi</programlisting>
            the Shorewall-perl compiler rather than by the shell, only the
            basic forms of Shell expansion ($variable and ${variable}) are
            supported. The more exotic forms such as ${variable:=default} are
-            not supported. Both variables defined in /etc/shorewall/params and
+            not supported. Both variables defined in
-            environmental variables (exported by the shell) can be used in
+            <filename>/etc/shorewall/params</filename> and environmental
-            configuration files.</para>
+            variables (exported by the shell) can be used in configuration
            files.</para>
          </listitem>
          <listitem>
@ -324,8 +319,8 @@ fi</programlisting>
          <listitem>
            <para>DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset
-            is atomically loaded with one execution of
+            (with the exception of the dynamic blacklist) is atomically loaded
-            <command>iptables-restore</command>.</para>
+            with one execution of <command>iptables-restore</command>.</para>
          </listitem>
          <listitem>
@ -347,7 +342,7 @@ fi</programlisting>
          <listitem>
            <para>Shorewall-perl has a single rule generator that is used for
-            all rule-oriented files. So it is important that the syntax is
+            all rule-oriented files. So it is important that the syntax be
            consistent between files.</para>
            <para>With shorewall-shell, there is a special syntax in the
@ -393,6 +388,10 @@ eth0             eth1:!192.168.4.9       ...</programlisting></para>
      <listitem>
        <para>Perl File::Temp Module</para>
      </listitem>
      <listitem>
        <para>Perl Getopts::Long Module</para>
      </listitem>
    </itemizedlist>
  </section>
@ -407,24 +406,26 @@ eth0             eth1:!192.168.4.9       ...</programlisting></para>
    <para>Either</para>
-    <programlisting><command>tar -jxf shorewall-perl-3.9.x.tar.bz2</command>
+    <programlisting><command>tar -jxf shorewall-perl-4.0.0-Betax.tar.bz2</command>
-<command>cd shorewall-perl-3.9.x</command>
+<command>cd shorewall-perl-4.0.0-Betax</command>
 <command>./install.sh</command></programlisting>
    <para>or</para>
-    <programlisting><command>rpm -ivh shorewall-pl-3.9.x-1.noarch.rpm</command></programlisting>
+    <programlisting><command>rpm -ivh shorewall-pl-4.0.0-0Betax.noarch.rpm</command></programlisting>
-    <para>Note that you can also install the Shorewall 3.9.x version of
+    <para>Note that you can also install the current Shorewall 4.0.0 Beta
-    Shorewall. If you do that and still want access to the legacy shell-based
+    version of Shorewall. If you do that and still want access to the legacy
-    compiler, you must also install the Shorewall-shell package.</para>
+    shell-based compiler, you must also install the Shorewall-shell
    package.</para>
  </section>
  <section>
    <title>Using Shorewall-perl</title>
    <section>
-      <title>Using Shorewall-perl under Shorewall 3.4.x</title>
+      <title>Using Shorewall-perl under Shorewall 3.4.2 and Shorewall
      3.4.3</title>
      <para>By default, the Shorewall-shell compiler will be used.</para>
@ -435,10 +436,7 @@ eth0             eth1:!192.168.4.9       ...</programlisting></para>
      <para>If you add this setting to
      <filename>/etc/shorewall/shorewall.conf</filename> then by default, the
-      new compiler will be used on the system. If you add it to
+      new compiler will be used on the system.</para>
      <filename>shorewall.conf</filename> in a separate directory (such as a
      Shorewall-lite export directory) then the new compiler will only be used
      when you compile from that directory.</para>
      <para>Regardless of the setting of SHOREWALL_COMPILER, there is one
      change in Shorewall operation that is triggered simply by installing
@ -451,7 +449,8 @@ eth0             eth1:!192.168.4.9       ...</programlisting></para>
    </section>
    <section>
-      <title>Using Shorewall-perl under Shorewall 3.9.x</title>
+      <title>Using Shorewall-perl under Shorewall 3.4.4/4.0.0 Beta and
      later.</title>
      <para>If you only install one compiler, then that compiler will be
      used.</para>
@ -468,12 +467,13 @@ eth0             eth1:!192.168.4.9       ...</programlisting></para>
      new compiler will be used on the system. If you add it to
      <filename>shorewall.conf</filename> in a separate directory (such as a
      Shorewall-lite export directory) then the new compiler will only be used
-      when you compile from that directory.</para>
+      when you compile from that directory (4.0.0 Beta6 and later
      only).</para>
      <para>If you only install one compiler, it is suggested that you do not
      set SHOREWALL_COMPILER.</para>
-      <para>If you install Shorewall-perl under Shorewall 3.9.2 or later, you
+      <para>If you install Shorewall-perl under Shorewall 3.4.4 or later, you
      can select the compiler to use on the command line using the 'C
      option:<simplelist>
          <member>'-C shell' means use the shell compiler</member>
--- a/docs/fallback.xml
+++ b/docs/fallback.xml
@ -43,7 +43,7 @@
    <itemizedlist>
      <listitem>
-        <para>cd to the distribution directory for the version of Seattle
+        <para>cd to the distribution directory for the version of Shoreline
        Firewall that you are currently running (NOT the version that you want
        to fall back to).</para>
      </listitem>
@ -91,4 +91,26 @@
    <para>If you installed using an rpm, at a root shell prompt type
    <quote>rpm -e shorewall</quote>.</para>
  </section>
  <section>
    <title>Shorewall-shell and Shorewall-perl</title>
    <para>Shorewall-shell and Shoreall-perl have no configuration files and
    all of their released files are installed in a single directory. To
    fallback to a prior release of one of these products using the tarballs,
    simple re-install the older version. </para>
    <para>To uninstal these products when they have been installed using the
    tarballs:</para>
    <itemizedlist>
      <listitem>
        <para>rm -rf /usr/share/shorewall-shell</para>
      </listitem>
      <listitem>
        <para>rm -rf /usr/share/shorewall-perl</para>
      </listitem>
    </itemizedlist>
  </section>
 </article>