Clarify the 'optional' interface option.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2020-05-13 12:30:12 -07:00
parent e5e8e6fbc0
commit 7343b19abc
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10

View File

@ -70,8 +70,7 @@
in this column.</para>
<para>If the interface serves multiple zones that will be defined in
the <ulink
url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
the <ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
file, you should place "-" in this column.</para>
<para>If there are multiple interfaces to the same zone, you must
@ -109,8 +108,8 @@ loc eth2 -</programlisting>
<para>When using Shorewall versions before 4.1.4, care must be
exercised when using wildcards where there is another zone that uses
a matching specific interface. See <ulink
url="shorewall-nesting.html">shorewall-nesting</ulink>(5)
for a discussion of this problem.</para>
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
discussion of this problem.</para>
<para>Shorewall allows '+' as an interface name, but that usage is
deprecated. A better approach is to specify
@ -370,8 +369,7 @@ loc eth2 -</programlisting>
firewall through this interface and whether the source address
and/or destination address is to be compared against the
ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
<ulink
url="shorewall.conf.html">shorewall.conf(5)</ulink>).
<ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>).
The default is determine by the setting of
DYNAMIC_BLACKLIST:</para>
@ -459,8 +457,8 @@ loc eth2 -</programlisting>
<listitem>
<para>the interface is a <ulink
url="../SimpleBridge.html">simple bridge</ulink> with a DHCP
server on one port and DHCP clients on another
url="../SimpleBridge.html">simple bridge</ulink> with a
DHCP server on one port and DHCP clients on another
port.</para>
<note>
@ -585,8 +583,8 @@ loc eth2 -</programlisting>
<listitem>
<para>Connection requests from this interface are compared
against the contents of <ulink
url="shorewall-maclist.html">shorewall-maclist</ulink>(5).
If this option is specified, the interface must be an Ethernet
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
this option is specified, the interface must be an Ethernet
NIC and must be up before Shorewall is started.</para>
</listitem>
</varlistentry>
@ -650,8 +648,8 @@ loc eth2 -</programlisting>
<para>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).
After logging, the packets are dropped.</para>
url="shorewall.conf.html">shorewall.conf</ulink>(5). After
logging, the packets are dropped.</para>
</listitem>
</varlistentry>
@ -659,6 +657,11 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">optional</emphasis></term>
<listitem>
<para>This option indicates that the firewall should be able
to start, even if the interface is not usable for handling
traffic. It allows use of the <command>enable</command> and
<command>disable</command> commands on the interface.</para>
<para>When <option>optional</option> is specified for an
interface, Shorewall will be silent when:</para>
@ -674,6 +677,16 @@ loc eth2 -</programlisting>
<para>The first address of the interface cannot be
obtained.</para>
</listitem>
<listitem>
<para>The gateway of the interface can not be obtained
(provider interface).</para>
</listitem>
<listitem>
<para>The interface has been disabled using the
<command>disable</command> command.</para>
</listitem>
</itemizedlist>
<para>May not be specified with <emphasis
@ -826,9 +839,9 @@ loc eth2 -</programlisting>
<important>
<para>If ROUTE_FILTER=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5),
or if your distribution sets net.ipv4.conf.all.rp_filter=1
in <filename>/etc/sysctl.conf</filename>, then setting
url="shorewall.conf.html">shorewall.conf</ulink>(5), or if
your distribution sets net.ipv4.conf.all.rp_filter=1 in
<filename>/etc/sysctl.conf</filename>, then setting
<emphasis role="bold">routefilter</emphasis>=0 in an
<replaceable>interface</replaceable> entry will not disable
route filtering on that
@ -848,8 +861,8 @@ loc eth2 -</programlisting>
<itemizedlist>
<listitem>
<para>If USE_DEFAULT_RT=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5)
and the interface is listed in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) and
the interface is listed in <ulink
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
</listitem>