diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index b7d10be05..c50396c5d 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -181,8 +181,8 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES See the shorewall-secmarks and shorewall6-secmarks manpages for details. - As part of this change, the tcrules file now accepts chain - designators 'I' and 'CI' for marking packets in the input chain. + As part of this change, the tcrules file now accepts $FW in the + DEST column for marking packets in the INPUT chain. 4) The 'blacklist' interface option may now have one of 2 values: diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml index cde754b28..36cd62414 100644 --- a/manpages/shorewall-tcrules.xml +++ b/manpages/shorewall-tcrules.xml @@ -147,15 +147,6 @@ Mark the connecdtion in the POSTROUTING chain - - - CI - - - Added in Shorewall 4.4.13. Mark the connecdtion in - the POSTROUTING chain - - Special considerations for If @@ -456,7 +447,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443 DEST - {-|{interface|[interface:]address-or-range[-|{interface|$FW}|[{interface|$FW}:]address-or-range[,address-or-range]...}[exclusion] @@ -477,6 +468,12 @@ SAME $FW 0.0.0.0/0 tcp 80,443 The list may include ip address ranges if your kernel and iptables include iprange support. + + + Beginning with Shorewall 4.4.13, $FW may be specified by + itself or qualified by an address list. This causes marking to + occur in the INPUT chain. + You may exclude certain hosts from the set already defined @@ -812,8 +809,8 @@ SAME $FW 0.0.0.0/0 tcp 80,443 shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), - shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), - shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5), - shorewall-tunnels(5), shorewall-zones(5) + shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), + shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), + shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) diff --git a/manpages6/shorewall6-tcrules.xml b/manpages6/shorewall6-tcrules.xml index 7fc01fd18..e6985ad36 100644 --- a/manpages6/shorewall6-tcrules.xml +++ b/manpages6/shorewall6-tcrules.xml @@ -144,14 +144,6 @@ Mark the connection in the POSTROUTING chain - - - CI (added in Shorewall 4.4.13) - - - Mark the connection in the INPUT chain. - - Special considerations for If @@ -330,7 +322,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443 DEST - {-|{interface|[interface:]<address-or-range[-|{interface|$FW}[{interface|$FW}:]<address-or-range[,address-or-range]...}[exclusion]> @@ -348,6 +340,10 @@ SAME $FW 0.0.0.0/0 tcp 80,443 ('<' and '>') surrounding the address(es) may be omitted. + Beginning with Shorewall 4.4.13, $FW may be given by itself or + qualified by an address list. This causes marking to occur in the + INPUT chain. + You may exclude certain hosts from the set already defined through use of an exclusion (see shorewall6-exclusion(5)). @@ -666,8 +662,8 @@ SAME $FW 0.0.0.0/0 tcp 80,443 shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-routestopped(5), - shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), - shorewall6-tcdevices(5), shorewall6-tos(5), shorewall6-tunnels(5), - shorewall6-zones(5) + shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), + shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tos(5), + shorewall6-tunnels(5), shorewall6-zones(5)