More Blacklist and Secmark documentation updates

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Tc.pm

@@ -1397,6 +1397,7 @@ sub process_secmark_rule() {
     my $chain1= $chns{$chain};
     
     fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
+    fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && chain1 ne 'tcout';
 
     if ( ( $state ||= '' ) ne '' ) {
 	my $state1;

docs/blacklisting_support.xml

@@ -167,6 +167,29 @@ ipset -A Blacklist 206.124.146.177
 ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
 
     <para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
+
+    <para>Beginning with Shoreall 4.4.13, outgoing blacklisting is also
+    supported. The "blacklist" setting in <ulink
+    url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
+    specifes whether an interface is an Internet-facing interface (value 1) or
+    an internal interface (value 2). Additionally, entries in
+    <filename>/etc/shorewall/blacklist</filename> can be specified as defining
+    the destination IP address rather than the source address.</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>Traffic entering an Internet-facing interface is passed against
+        those blacklist entries that specify the source IP address. Traffic
+        originating on the firewall and leaving on an Interface-facing
+        interface is passed against the blacklist entries that specify the
+        destination IP address.</para>
+      </listitem>
+
+      <listitem>
+        <para>Traffic entering an internal interface is passed against those
+        blacklist entries that specify the destination IP address.</para>
+      </listitem>
+    </itemizedlist>
   </section>
 
   <section id="Dynamic">

manpages/shorewall-secmarks.xml

@@ -335,11 +335,11 @@
 
     <para><filename>/etc/shorewall/secmarks</filename>:</para>
 
-    <programlisting>#SECMARK                       CHAIN:     SOURCE  DEST       PROTO   DEST       SOURCE      USER/     MARK
-#                              STATE                                 PORT(S)    PORT(S)     GROUP
-system_u:object_r:mysqld_t:s0  I:N        lo      127.0.0.1  tcp     3306
-SAVE                           I:N        lo      127.0.0.1  tcp     3306
-RESTORE                        I:E</programlisting>
+    <programlisting>#SECMARK                              CHAIN:     SOURCE  DEST       PROTO   DEST       SOURCE      USER/     MARK
+#                                     STATE                                 PORT(S)    PORT(S)     GROUP
+system_u:object_r:mysqld_packet_t:s0  I:N        lo      127.0.0.1  tcp     3306
+SAVE                                  I:N        lo      127.0.0.1  tcp     3306
+RESTORE                               I:E</programlisting>
   </refsect1>
 
   <refsect1>

manpages6/shorewall6-secmarks.xml

@@ -332,11 +332,11 @@
 
     <para><filename>/etc/shorewall6/secmarks</filename>:</para>
 
-    <programlisting>#SECMARK                       CHAIN:     SOURCE  DEST       PROTO   DEST       SOURCE      USER/     MARK
-#                              STATE                                 PORT(S)    PORT(S)     GROUP
-system_u:object_r:mysqld_t:s0  I:N        lo      ::1        tcp     3306
-SAVE                           I:N        lo      ::1        tcp     3306
-RESTORE                        I:E</programlisting>
+    <programlisting>#SECMARK                              CHAIN:     SOURCE  DEST       PROTO   DEST       SOURCE      USER/     MARK
+#                                     STATE                                 PORT(S)    PORT(S)     GROUP
+system_u:object_r:mysqld_packet_t:s0  I:N        lo      ::1        tcp     3306
+SAVE                                  I:N        lo      ::1        tcp     3306
+RESTORE                               I:E</programlisting>
   </refsect1>
 
   <refsect1>