Clarify REJECT handling in IP[6]TABLE rules

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-08-24 09:10:10 -07:00
parent fa8c3b3b6c
commit 4347190f82
2 changed files with 39 additions and 16 deletions

View File

@ -476,24 +476,35 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>IPTABLES({<replaceable>target</replaceable> <term>IPTABLES({<replaceable>iptables-target</replaceable>
[<replaceable>option</replaceable> ...])</term> [<replaceable>option</replaceable> ...])</term>
<listitem> <listitem>
<para>This action allows you to specify an iptables target <para>This action allows you to specify an iptables target
with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
the target is not one recognized by Shorewall, the following the <replaceable>iptables-target</replaceable> is not one
error message will be issued:</para> recognized by Shorewall, the following error message will be
issued:</para>
<simplelist> <simplelist>
<member>ERROR: Unknown target <member>ERROR: Unknown target
(<replaceable>target</replaceable>)</member> (<replaceable>iptables-target</replaceable>)</member>
</simplelist> </simplelist>
<para>This error message may be eliminated by adding the <para>This error message may be eliminated by adding the
<replaceable>target</replaceable> as a builtin action in <replaceable>iptables-</replaceable><replaceable>target</replaceable>
<ulink as a builtin action in <ulink
url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para> url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
<important>
<para>If you specify REJECT as the
<replaceable>iptables-target</replaceable>, the target of
the rule will be the iptables REJECT target and not
Shorewall's builtin 'reject' chain which is used when REJECT
(see below) is specified as the
<replaceable>target</replaceable> in the ACTION
column.</para>
</important>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@ -450,24 +450,36 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>IP6TABLES({<replaceable>target</replaceable> <term>IP6TABLES({<replaceable>ip6tables-target</replaceable>
[<replaceable>option</replaceable> ...])</term> [<replaceable>option</replaceable> ...])</term>
<listitem> <listitem>
<para>This action allows you to specify an iptables target <para>This action allows you to specify an ip6tables target
with options (e.g., 'IP6TABLES(MARK --set-xmark 0x01/0xff)'. with options (e.g., 'IPTABLES(MARK --set-xmark 0x01/0xff)'. If
If the target is not one recognized by Shorewall, the the <replaceable>ip6tables-target</replaceable> is not one
following error message will be issued:</para> recognized by Shorewall, the following error message will be
issued:</para>
<simplelist> <simplelist>
<member>ERROR: Unknown target <member>ERROR: Unknown target
(<replaceable>target</replaceable>)</member> (<replaceable>ip6tables-target</replaceable>)</member>
</simplelist> </simplelist>
<para>This error message may be eliminated by adding the <para>This error message may be eliminated by adding
<replaceable>target</replaceable> as a builtin action in the<replaceable>
<ulink ip6tables-</replaceable><replaceable>target</replaceable> as a
url="/manpages6/shorewall6-actions.html">shorewall6-actions(5)</ulink>.</para> builtin action in <ulink
url="shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
<important>
<para>If you specify REJECT as the
<replaceable>ip6tables-target</replaceable>, the target of
the rule will be the i6ptables REJECT target and not
Shorewall's builtin 'reject' chain which is used when REJECT
(see below) is specified as the
<replaceable>target</replaceable> in the ACTION
column.</para>
</important>
</listitem> </listitem>
</varlistentry> </varlistentry>