Correct INPUT marking documentation

Shorewall/releasenotes.txt

@@ -181,8 +181,8 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
     See the shorewall-secmarks and shorewall6-secmarks manpages for
     details.
 
-    As part of this change, the tcrules file now accepts chain
+    As part of this change, the tcrules file now accepts $FW in the
-    designators 'I' and 'CI' for marking packets in the input chain.
+    DEST column for marking packets in the INPUT chain.
 
 4)  The 'blacklist' interface option may now have one of 2 values:
 

manpages/shorewall-tcrules.xml

@@ -147,15 +147,6 @@
                     <para>Mark the connecdtion in the POSTROUTING chain</para>
                   </listitem>
                 </varlistentry>
-
-                <varlistentry>
-                  <term>CI</term>
-
-                  <listitem>
-                    <para>Added in Shorewall 4.4.13. Mark the connecdtion in
-                    the POSTROUTING chain</para>
-                  </listitem>
-                </varlistentry>
               </variablelist>
 
               <para><emphasis role="bold">Special considerations for If
@@ -456,7 +447,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
 
       <varlistentry>
         <term><emphasis role="bold">DEST</emphasis> - {<emphasis
-        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|$FW}|[<emphasis>{interface</emphasis>|$FW}:]<emphasis>address-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
@@ -477,6 +468,12 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
               The list may include ip address ranges if your kernel and
               iptables include iprange support.</para>
             </listitem>
+
+            <listitem>
+              <para>Beginning with Shorewall 4.4.13, $FW may be specified by
+              itself or qualified by an address list. This causes marking to
+              occur in the INPUT chain.</para>
+            </listitem>
           </orderedlist>
 
           <para>You may exclude certain hosts from the set already defined
@@ -812,8 +809,8 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
     shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
     shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
     shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>

manpages6/shorewall6-tcrules.xml

@@ -144,14 +144,6 @@
                     <para>Mark the connection in the POSTROUTING chain</para>
                   </listitem>
                 </varlistentry>
-
-                <varlistentry>
-                  <term>CI (added in Shorewall 4.4.13)</term>
-
-                  <listitem>
-                    <para>Mark the connection in the INPUT chain.</para>
-                  </listitem>
-                </varlistentry>
               </variablelist>
 
               <para><emphasis role="bold">Special considerations for If
@@ -330,7 +322,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
 
       <varlistentry>
         <term><emphasis role="bold">DEST</emphasis> - {<emphasis
-        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]&lt;<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|$FW}[{<emphasis>interface</emphasis>|$FW}:]&lt;<emphasis>address-or-range</emphasis>[<emphasis
         role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]&gt;</term>
 
         <listitem>
@@ -348,6 +340,10 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
           ('&lt;' and '&gt;') surrounding the address(es) may be
           omitted.</para>
 
+          <para>Beginning with Shorewall 4.4.13, $FW may be given by itself or
+          qualified by an address list. This causes marking to occur in the
+          INPUT chain.</para>
+
           <para>You may exclude certain hosts from the set already defined
           through use of an <emphasis>exclusion</emphasis> (see <ulink
           url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
@@ -666,8 +662,8 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
     shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
     shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
     shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
+    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
-    shorewall6-tcdevices(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tos(5),
-    shorewall6-zones(5)</para>
+    shorewall6-tunnels(5), shorewall6-zones(5)</para>
   </refsect1>
 </refentry>