From 3038af67ac3d54eb1bc10ceaf8e7b7a7d5442755 Mon Sep 17 00:00:00 2001
From: el_cubano <el_cubano@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Mon, 21 Jan 2008 15:09:13 +0000
Subject: [PATCH] Document that for interface restricions to take effect for
 each member of a comma separated list in a rule, the interface must be
 explicitly stated for each member of the list in a rule.

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8083 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 manpages/shorewall-rules.xml | 40 ++++++++++++++++++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)

diff --git a/manpages/shorewall-rules.xml b/manpages/shorewall-rules.xml
index 65996adf3..9495ae711 100644
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@@ -393,7 +393,7 @@
 
               <listitem>
                 <para>the rest of the line will be attached as a comment to
-                the Netfilter rule(s) generated by the following entrIes. The
+                the Netfilter rule(s) generated by the following entries. The
                 comment will appear delimited by "/* ... */" in the output of
                 "shorewall show &lt;chain&gt;". To stop the comment from being
                 attached to further rules, simply include COMMENT on a line by
@@ -614,6 +614,42 @@
             This may be optionally followed by another colon (":") and an
             IP/MAC/subnet address as described above (e.g., <emphasis
             role="bold">loc:eth1:192.168.1.5</emphasis>).</para>
+
+            <para>It is important to note that when <emphasis role="bold">using
+            Shorewall-shell</emphasis> and specifying an address list that will
+            be split (i.e., a comma separated list), there is a subtle behavior
+            which has the potential to cause confusion.  Consider the two
+            examples below:</para>
+          </blockquote>
+
+          <para>Examples:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>loc:eth1:192.168.1.3,192.168.1.5</term>
+
+              <listitem>
+                <para>Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
+                with 192.168.1.3 coming from eth1 and 192.168.1.5 originating
+                from any interface in the zone.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>loc:eth1:192.168.1.3,eth1:192.168.1.5</term>
+
+              <listitem>
+                <para>Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
+                with <emphasis role="bold">both</emphasis> originating from
+                eth1.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+          <blockquote>
+            <para>That is, the interface name must be explicitly stated for
+            each member of the comma separated list.  Again, this distinction
+            in behavior only occurs when <emphasis role="bold">using
+            Shorewall-shell</emphasis>.</para>
           </blockquote>
         </listitem>
       </varlistentry>
@@ -1230,4 +1266,4 @@
     shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
     shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
-</refentry>
\ No newline at end of file
+</refentry>