Document that for interface restricions to take effect for each member of a comma separated list in a rule, the interface must be explicitly stated for each member of the list in a rule.

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8083 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-23 08:03:11 +01:00 · 2008-01-21 15:09:13 +00:00 · 2008-01-21 15:09:13 +00:00 · 3038af67ac
commit 3038af67ac
parent fb426cd498
1 changed files with 38 additions and 2 deletions
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@ -393,7 +393,7 @@

              <listitem>
                <para>the rest of the line will be attached as a comment to
-                the Netfilter rule(s) generated by the following entrIes. The
+                the Netfilter rule(s) generated by the following entries. The
                comment will appear delimited by "/* ... */" in the output of
                "shorewall show &lt;chain&gt;". To stop the comment from being
                attached to further rules, simply include COMMENT on a line by
@ -614,6 +614,42 @@
            This may be optionally followed by another colon (":") and an
            IP/MAC/subnet address as described above (e.g., <emphasis
            role="bold">loc:eth1:192.168.1.5</emphasis>).</para>
+
+            <para>It is important to note that when <emphasis role="bold">using
+            Shorewall-shell</emphasis> and specifying an address list that will
+            be split (i.e., a comma separated list), there is a subtle behavior
+            which has the potential to cause confusion.  Consider the two
+            examples below:</para>
+          </blockquote>
+
+          <para>Examples:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>loc:eth1:192.168.1.3,192.168.1.5</term>
+
+              <listitem>
+                <para>Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
+                with 192.168.1.3 coming from eth1 and 192.168.1.5 originating
+                from any interface in the zone.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>loc:eth1:192.168.1.3,eth1:192.168.1.5</term>
+
+              <listitem>
+                <para>Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
+                with <emphasis role="bold">both</emphasis> originating from
+                eth1.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+          <blockquote>
+            <para>That is, the interface name must be explicitly stated for
+            each member of the comma separated list.  Again, this distinction
+            in behavior only occurs when <emphasis role="bold">using
+            Shorewall-shell</emphasis>.</para>
          </blockquote>
        </listitem>
      </varlistentry>
@ -1230,4 +1266,4 @@
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
-</refentry>
+</refentry>