Patches for Shorewall6 manpage from Thomas D

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-11-10 07:50:28 -08:00
parent c4171a92f6
commit 22ac37b51e

View File

@ -699,7 +699,7 @@
used for debugging. See <ulink
url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
<para>The nolock <option>option</option> prevents the command from
<para>The <option>nolock</option> option prevents the command from
attempting to acquire the Shorewall6 lockfile. It is useful if you need to
include <command>shorewall6</command> commands in
<filename>/etc/shorewall6/started</filename>.</para>
@ -779,12 +779,13 @@
<para>Compiles the configuration in the specified
<emphasis>directory</emphasis> and discards the compiled output
script. If no <emphasis>directory</emphasis> is given, then
/etc/shorewall6 is assumed.</para>
<filename class="directory">/etc/shorewall6</filename> is
assumed.</para>
<para>The <emphasis role="bold">-e</emphasis> option causes the
<para>The <option>-e</option> option causes the
compiler to look for a file named capabilities. This file is
produced using the command <emphasis role="bold">shorewall6-lite
show -f capabilities &gt; capabilities</emphasis> on a system with
produced using the command <command>shorewall6-lite
show -f capabilities &gt; capabilities</command> on a system with
Shorewall6 Lite installed.</para>
<para>The <option>-d</option> option causes the compiler to be run
@ -802,8 +803,8 @@
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink
@ -838,17 +839,17 @@
compile -- -</command>) to suppress the 'Compiling...' message
normally generated by <filename>/sbin/shorewall6</filename>.</para>
<para>When -e is specified, the compilation is being performed on a
system other than where the compiled script will run. This option
disables certain configuration options that require the script to be
compiled where it is to be run. The use of -e requires the presence
of a configuration file named <filename>capabilities</filename>
which may be produced using the command <emphasis
role="bold">shorewall6-lite show -f capabilities &gt;
capabilities</emphasis> on a system with Shorewall6 Lite
<para>When <option>-e</option> is specified, the compilation is
being performed on a system other than where the compiled script will
run. This option disables certain configuration options that require
the script to be compiled where it is to be run. The use of
<option>-e</option> requires the presence of a configuration file named
<filename>capabilities</filename> which may be produced using the
command <command>shorewall6-lite show -f capabilities &gt;
capabilities</command> on a system with Shorewall6 Lite
installed.</para>
<para>The <emphasis role="bold">-c</emphasis> option was added in
<para>The <option>-c</option> option was added in
Shorewall 4.5.17 and causes conditional compilation of a script. The
script specified by <replaceable>pathname</replaceable> (or implied
if <emphasis role="bold">pathname</emphasis> is omitted) is compiled
@ -869,8 +870,8 @@
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink
@ -938,13 +939,14 @@
<para>Produces a verbose report about the firewall configuration for
the purpose of problem analysis.</para>
<para>The <emphasis role="bold">-x</emphasis> option causes actual
<para>The <option>-x</option> option causes actual
packet and byte counts to be displayed. Without that option, these
counts are abbreviated. The <emphasis role="bold">-m</emphasis>
option causes any MAC addresses included in Shorewall6 log messages
to be displayed.</para>
counts are abbreviated.</para>
<para>The <emphasis role="bold">-l</emphasis> option causes the rule
<para>The <option>-m</option> option causes any MAC addresses
included in Shorewall6 log messages to be displayed.</para>
<para>The <option>-l</option> option causes the rule
number for each Netfilter rule to be displayed.</para>
</listitem>
</varlistentry>
@ -998,8 +1000,9 @@
<term><emphasis role="bold">forget</emphasis></term>
<listitem>
<para>Deletes /var/lib/shorewall6/<emphasis>filename</emphasis> and
/var/lib/shorewall6/save. If no <emphasis>filename</emphasis> is
<para>Deletes <filename>/var/lib/shorewall6/<replaceable>filename
</replaceable></filename> and <filename>/var/lib/shorewall6/save
</filename>. If no <emphasis>filename</emphasis> is
given then the file specified by RESTOREFILE in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) is
assumed.</para>
@ -1059,14 +1062,14 @@
Shorewall6 Lite on <replaceable>system</replaceable> is started via
ssh.</para>
<para>If <emphasis role="bold">-s</emphasis> is specified and the
<para>If <option>-s</option> is specified and the
<emphasis role="bold">start</emphasis> command succeeds, then the
remote Shorewall6-lite configuration is saved by executing <emphasis
role="bold">shorewall6-lite save</emphasis> via ssh.</para>
remote Shorewall6-lite configuration is saved by executing
<command>shorewall6-lite save</command> via ssh.</para>
<para>if <emphasis role="bold">-c</emphasis> is included, the
command <emphasis role="bold">shorewall6-lite show capabilities -f
&gt; /var/lib/shorewall6-lite/capabilities</emphasis> is executed
<para>if <option>-c</option> is included, the
command <command>shorewall6-lite show capabilities -f
&gt; /var/lib/shorewall6-lite/capabilities</command> is executed
via ssh then the generated file is copied to
<replaceable>directory</replaceable> using scp. This step is
performed before the configuration is compiled.</para>
@ -1079,8 +1082,8 @@
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink
@ -1108,7 +1111,7 @@
<ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) and
produces an audible alarm when new Shorewall6 messages are logged.
The <emphasis role="bold">-m</emphasis> option causes the MAC
The <option>-m</option> option causes the MAC
address of each packet source to be displayed if that information is
available. The <replaceable>refresh-interval</replaceable> specifies
the time in seconds between screen refreshes. You can enter a
@ -1152,11 +1155,11 @@
performed by <command>refresh</command> with the exception that
<command>refresh</command> only recreates the chains specified in
the command while <command>restart</command> recreates the entire
Netfilter ruleset.When no chain name is given to the <emphasis
role="bold">refresh</emphasis> command, the mangle table is
Netfilter ruleset.When no chain name is given to the
<command>refresh</command> command, the mangle table is
refreshed along with the blacklist chain (if any). This allows you
to modify <filename>/etc/shorewall6/tcrules</filename>and install
the changes using <emphasis role="bold">refresh</emphasis>.</para>
the changes using <command>refresh</command>.</para>
<para>The listed chains are assumed to be in the filter table. You
can refresh chains in other tables by prefixing the chain name with
@ -1175,8 +1178,8 @@
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink
@ -1186,7 +1189,12 @@
and causes Shorewall to look in the given
<emphasis>directory</emphasis> first for configuration files.</para>
<para>Example:<programlisting><command>shorewall6 refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
<example>
<title>Refresh the 'net-fw' chain in the filter table and the
'net_dnat' chain in the nat table</title>
<programlisting><command>shorewall6 refresh net-fw nat:net_dnat
</command></programlisting>
</example>
</listitem>
</varlistentry>
@ -1216,14 +1224,14 @@
Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
ssh.</para>
<para>If <emphasis role="bold">-s</emphasis> is specified and the
<emphasis role="bold">restart</emphasis> command succeeds, then the
remote Shorewall6-lite configuration is saved by executing <emphasis
role="bold">shorewall6-lite save</emphasis> via ssh.</para>
<para>If <option>-s</option> is specified and the
<command>restart</command> command succeeds, then the
remote Shorewall6-lite configuration is saved by executing
<command>shorewall6-lite save</command> via ssh.</para>
<para>if <emphasis role="bold">-c</emphasis> is included, the
command <emphasis role="bold">shorewall6-lite show capabilities -f
&gt; /var/lib/shorewall6-lite/capabilities</emphasis> is executed
<para>if <option>-c</option> is included, the
command <command>shorewall6-lite show capabilities -f
&gt; /var/lib/shorewall6-lite/capabilities</command> is executed
via ssh then the generated file is copied to
<emphasis>directory</emphasis> using scp. This step is performed
before the configuration is compiled.</para>
@ -1236,8 +1244,8 @@
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink
@ -1261,8 +1269,8 @@
<term><emphasis role="bold">restart</emphasis></term>
<listitem>
<para>Restart is similar to <emphasis role="bold">shorewall6
start</emphasis> except that it assumes that the firewall is already
<para>Restart is similar to <command>shorewall6
start</command> except that it assumes that the firewall is already
started. Existing connections are maintained. If a
<emphasis>directory</emphasis> is included in the command,
Shorewall6 will look in that <emphasis>directory</emphasis> first
@ -1280,7 +1288,8 @@
<para>The <option>-f</option> option suppresses the compilation step
and simply reused the compiled script which last started/restarted
Shorewall, provided that /etc/shorewall6 and its contents have not
Shorewall, provided that <filename class="directory">/etc/shorewall6
</filename> and its contents have not
been modified since the last start/restart.</para>
<para>The <option>-c</option> option was added in Shorewall 4.4.20
@ -1294,8 +1303,8 @@
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink
@ -1315,12 +1324,12 @@
<term><emphasis role="bold">restore</emphasis></term>
<listitem>
<para>Restore Shorewall6 to a state saved using the <emphasis
role="bold">shorewall6 save</emphasis> command. Existing connections
<para>Restore Shorewall6 to a state saved using the
<command>shorewall6 save</command> command. Existing connections
are maintained. The <emphasis>filename</emphasis> names a restore
file in /var/lib/shorewall6 created using <emphasis
role="bold">shorewall6 save</emphasis>; if no
<emphasis>filename</emphasis> is given then Shorewall6 will be
file in <filename class="directory">/var/lib/shorewall6</filename>
created using <command>shorewall6 save</command>;
if no <emphasis>filename</emphasis> is given then Shorewall6 will be
restored from the file specified by the RESTOREFILE option in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
@ -1333,8 +1342,8 @@
</caution>
<para>The <option>-C</option> option was added in Shorewall 4.6.5.
If the <option>-C</option> option was specified during <emphasis
role="bold">shorewall6 save</emphasis>, then the counters saved by
If the <option>-C</option> option was specified during
<command>shorewall6 save</command>, then the counters saved by
that operation will be restored.</para>
</listitem>
</varlistentry>
@ -1357,12 +1366,9 @@
<para>If there are files in the CONFIG_PATH that were modified after
the current firewall script was generated, the following warning
message is issued before the script's run command is
executed:</para>
<simplelist>
<member>WARNING: /var/lib/shorewall6/firewall is not up to
date</member>
</simplelist>
executed:
<screen>WARNING: /var/lib/shorewall6/firewall is not up to
date</screen></para>
</listitem>
</varlistentry>
@ -1371,9 +1377,10 @@
<listitem>
<para>Only allowed if Shorewall6 is running. The current
configuration is saved in /var/lib/shorewall6/safe-restart (see the
save command below) then a <emphasis role="bold">shorewall6
restart</emphasis> is done. You will then be prompted asking if you
configuration is saved in <filename>/var/lib/shorewall6/safe-restart
</filename> (see the <emphasis role="bold">save</emphasis>
command below) then a <command>shorewall6 restart</command> is
done. You will then be prompted asking if you
want to accept the new configuration or not. If you answer "n" or if
you fail to answer within 60 seconds (such as when your new
configuration has disabled communication with your terminal), the
@ -1417,13 +1424,14 @@
<term><emphasis role="bold">save</emphasis></term>
<listitem>
<para>The dynamic blacklist is stored in /var/lib/shorewall6/save.
The state of the firewall is stored in
/var/lib/shorewall6/<emphasis>filename</emphasis> for use by the
<emphasis role="bold">shorewall6 restore</emphasis> and <emphasis
role="bold">shorewall6 -f start</emphasis> commands. If
<emphasis>filename</emphasis> is not given then the state is saved
in the file specified by the RESTOREFILE option in <ulink
<para>The dynamic blacklist is stored in <filename>
/var/lib/shorewall6/save</filename>.
The state of the firewall is stored in <filename>
/var/lib/shorewall6/<replaceable>filename</replaceable></filename>
for use by the <command>shorewall6 restore</command> and <command>
shorewall6 -f start</command> commands. If <emphasis>filename
</emphasis> is not given then the state is saved in the file
specified by the RESTOREFILE option in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
<para>The <option>-C</option> option, added in Shorewall 4.6.5,
@ -1455,7 +1463,7 @@
<listitem>
<para>Added in Shorewall 4.6.2. Displays the dynamic chain
along with any chains produced by entries in
shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
shorewall-blrules(5).The <option>-x</option>
option is passed directly through to ip6tables and causes
actual packet and byte counts to be displayed. Without this
option, those counts are abbreviated.</para>
@ -1467,9 +1475,9 @@
<listitem>
<para>Displays your kernel/ip6tables capabilities. The
<emphasis role="bold">-f</emphasis> option causes the display
to be formatted as a capabilities file for use with <emphasis
role="bold">compile -e</emphasis>.</para>
<option>-f</option> option causes the display
to be formatted as a capabilities file for use with
<command>shorewall6 compile -e</command>.</para>
</listitem>
</varlistentry>
@ -1479,29 +1487,29 @@
<listitem>
<para>The rules in each <emphasis>chain</emphasis> are
displayed using the <emphasis role="bold">ip6tables
-L</emphasis> <emphasis>chain</emphasis> <emphasis
displayed using the <command>ip6tables
-L</command> <emphasis>chain</emphasis> <emphasis
role="bold">-n -v</emphasis> command. If no
<emphasis>chain</emphasis> is given, all of the chains in the
filter table are displayed. The <emphasis
role="bold">-x</emphasis> option is passed directly through to
ip6tables and causes actual packet and byte counts to be
displayed. Without this option, those counts are abbreviated.
The <emphasis role="bold">-t</emphasis> option specifies the
filter table are displayed. The <option>-x</option> option is
passed directly through to ip6tables and causes actual packet
and byte counts to be displayed. Without this option, those
counts are abbreviated.
The <option>-t</option> option specifies the
Netfilter table to display. The default is <emphasis
role="bold">filter</emphasis>.</para>
<para>The <emphasis role="bold">-b</emphasis> ('brief') option
<para>The <option>-b</option> ('brief') option
causes rules which have not been used (i.e. which have zero
packet and byte counts) to be omitted from the output. Chains
with no rules displayed are also omitted from the
output.</para>
<para>The <emphasis role="bold">-l</emphasis> option causes
<para>The <option>-l</option> option causes
the rule number for each Netfilter rule to be
displayed.</para>
<para>If the <emphasis role="bold">-t</emphasis> option and
<para>If the <option>-t</option> option and
the <option>chain</option> keyword are both omitted and any of
the listed <replaceable>chain</replaceable>s do not exist, a
usage message is displayed.</para>
@ -1569,7 +1577,7 @@
<para>Displays the last 20 Shorewall6 messages from the log
file specified by the LOGFILE option in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
The <emphasis role="bold">-m</emphasis> option causes the MAC
The <option>-m</option> option causes the MAC
address of each packet source to be displayed if that
information is available.</para>
</listitem>
@ -1589,8 +1597,8 @@
<listitem>
<para>Displays the Netfilter mangle table using the command
<emphasis role="bold">ip6tables -t mangle -L -n
-v</emphasis>.The <emphasis role="bold">-x</emphasis> option
<command>ip6tables -t mangle -L -n
-v</command>.The <option>-x</option> option
is passed directly through to ip6tables and causes actual
packet and byte counts to be displayed. Without this option,
those counts are abbreviated.</para>
@ -1657,22 +1665,24 @@
only if they are allowed by the firewall rules or policies. If a
<replaceable>directory</replaceable> is included in the command,
Shorewall6 will look in that <emphasis>directory</emphasis> first
for configuration files. If <emphasis role="bold">-f</emphasis> is
for configuration files. If <option>-f</option> is
specified, the saved configuration specified by the RESTOREFILE
option in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
will be restored if that saved configuration exists and has been
modified more recently than the files in /etc/shorewall6. When
<emphasis role="bold">-f</emphasis> is given, a
<replaceable>directory</replaceable> may not be specified.</para>
modified more recently than the files in <filename
class="directory">/etc/shorewall6</filename>. When <option>-f
</option> is given, a <replaceable>directory</replaceable> may
not be specified.</para>
<para>Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option
was added to <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
When LEGACY_FASTSTART=No, the modification times of files in
/etc/shorewall6 are compared with that of
/var/lib/shorewall6/firewall (the compiled script that last
started/restarted the firewall).</para>
<filename class="directory">/etc/shorewall6</filename> are
compared with that of <filename>/var/lib/shorewall6/firewall
</filename> (the compiled script that last started/restarted the
firewall).</para>
<para>The <option>-n</option> option causes Shorewall6 to avoid
updating the routing table(s).</para>
@ -1688,8 +1698,8 @@
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink
@ -1698,8 +1708,8 @@
<para>The <option>-C</option> option was added in Shorewall 4.6.5
and is only meaningful when the <option>-f</option> option is also
specified. If the previously-saved configuration is restored, and if
the <option>-C</option> option was also specified in the <emphasis
role="bold">save</emphasis> command, then the packet and byte
the <option>-C</option> option was also specified in the
<command>save</command> command, then the packet and byte
counters will be restored along with the chains and rules.</para>
</listitem>
</varlistentry>
@ -1746,19 +1756,18 @@
role="bold">start</emphasis> command is performed using the
specified configuration <replaceable>directory</replaceable>. if an
error occurs during the compilation phase of the <emphasis
role="bold">restart</emphasis> or <emphasis
role="bold">start</emphasis>, the command terminates without
changing the Shorewall6 state. If an error occurs during the
<emphasis role="bold">restart</emphasis> phase, then a <emphasis
role="bold">shorewall6 restore</emphasis> is performed using the
saved configuration. If an error occurs during the <emphasis
role="bold">start</emphasis> phase, then Shorewall6 is cleared. If
the <emphasis role="bold">start</emphasis>/<emphasis
role="bold">restart</emphasis> succeeds and a
role="bold">restart</emphasis> or <emphasis role="bold">start
</emphasis>, the command terminates without changing the Shorewall6
state. If an error occurs during the <emphasis role="bold">restart
</emphasis> phase, then a <command>shorewall6 restore</command> is
performed using the saved configuration. If an error occurs during
the <emphasis role="bold">start</emphasis> phase, then Shorewall6
is cleared. If the <emphasis role="bold">start</emphasis>/
<emphasis role="bold">restart</emphasis> succeeds and a
<replaceable>timeout</replaceable> is specified then a <emphasis
role="bold">clear</emphasis> or <emphasis
role="bold">restore</emphasis> is performed after
<replaceable>timeout</replaceable> seconds.</para>
role="bold">clear</emphasis> or <emphasis role="bold">restore
</emphasis> is performed after <replaceable>timeout</replaceable>
seconds.</para>
<para>Beginning with Shorewall 4.5.0, the numeric
<replaceable>timeout</replaceable> may optionally be followed by an
@ -1779,7 +1788,7 @@
options with non-defaults to a deprecated options section at the
bottom of the file. Your existing
<filename>shorewall6.conf</filename> file is renamed
<filename>shorewall6.conf.bak.</filename></para>
<filename>shorewall6.conf.bak</filename>.</para>
<para>The <option>-a</option> option causes the updated
<filename>shorewall6.conf</filename> file to be annotated with
@ -1805,8 +1814,8 @@
updated, the original is saved in a .bak file in the same
directory.</para>
<para>The -i option was added in Shorewall 4.6.0 and causes a
warning message to be issued if the line current line contains
<para>The <option>-i</option> option was added in Shorewall 4.6.0
and causes a warning message to be issued if the line current line contains
alternative input specifications following a semicolon (";"). Such
lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
<ulink