Clarify the 'optional' interface option.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2020-05-13 12:30:12 -07:00
parent e5e8e6fbc0
commit 7343b19abc
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10

View File

@ -70,8 +70,7 @@
in this column.</para> in this column.</para>
<para>If the interface serves multiple zones that will be defined in <para>If the interface serves multiple zones that will be defined in
the <ulink the <ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
file, you should place "-" in this column.</para> file, you should place "-" in this column.</para>
<para>If there are multiple interfaces to the same zone, you must <para>If there are multiple interfaces to the same zone, you must
@ -109,8 +108,8 @@ loc eth2 -</programlisting>
<para>When using Shorewall versions before 4.1.4, care must be <para>When using Shorewall versions before 4.1.4, care must be
exercised when using wildcards where there is another zone that uses exercised when using wildcards where there is another zone that uses
a matching specific interface. See <ulink a matching specific interface. See <ulink
url="shorewall-nesting.html">shorewall-nesting</ulink>(5) url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
for a discussion of this problem.</para> discussion of this problem.</para>
<para>Shorewall allows '+' as an interface name, but that usage is <para>Shorewall allows '+' as an interface name, but that usage is
deprecated. A better approach is to specify deprecated. A better approach is to specify
@ -370,8 +369,7 @@ loc eth2 -</programlisting>
firewall through this interface and whether the source address firewall through this interface and whether the source address
and/or destination address is to be compared against the and/or destination address is to be compared against the
ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
<ulink <ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>).
url="shorewall.conf.html">shorewall.conf(5)</ulink>).
The default is determine by the setting of The default is determine by the setting of
DYNAMIC_BLACKLIST:</para> DYNAMIC_BLACKLIST:</para>
@ -459,8 +457,8 @@ loc eth2 -</programlisting>
<listitem> <listitem>
<para>the interface is a <ulink <para>the interface is a <ulink
url="../SimpleBridge.html">simple bridge</ulink> with a DHCP url="../SimpleBridge.html">simple bridge</ulink> with a
server on one port and DHCP clients on another DHCP server on one port and DHCP clients on another
port.</para> port.</para>
<note> <note>
@ -585,8 +583,8 @@ loc eth2 -</programlisting>
<listitem> <listitem>
<para>Connection requests from this interface are compared <para>Connection requests from this interface are compared
against the contents of <ulink against the contents of <ulink
url="shorewall-maclist.html">shorewall-maclist</ulink>(5). url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
If this option is specified, the interface must be an Ethernet this option is specified, the interface must be an Ethernet
NIC and must be up before Shorewall is started.</para> NIC and must be up before Shorewall is started.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -650,8 +648,8 @@ loc eth2 -</programlisting>
<para>Smurfs will be optionally logged based on the setting of <para>Smurfs will be optionally logged based on the setting of
SMURF_LOG_LEVEL in <ulink SMURF_LOG_LEVEL in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). url="shorewall.conf.html">shorewall.conf</ulink>(5). After
After logging, the packets are dropped.</para> logging, the packets are dropped.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -659,6 +657,11 @@ loc eth2 -</programlisting>
<term><emphasis role="bold">optional</emphasis></term> <term><emphasis role="bold">optional</emphasis></term>
<listitem> <listitem>
<para>This option indicates that the firewall should be able
to start, even if the interface is not usable for handling
traffic. It allows use of the <command>enable</command> and
<command>disable</command> commands on the interface.</para>
<para>When <option>optional</option> is specified for an <para>When <option>optional</option> is specified for an
interface, Shorewall will be silent when:</para> interface, Shorewall will be silent when:</para>
@ -674,6 +677,16 @@ loc eth2 -</programlisting>
<para>The first address of the interface cannot be <para>The first address of the interface cannot be
obtained.</para> obtained.</para>
</listitem> </listitem>
<listitem>
<para>The gateway of the interface can not be obtained
(provider interface).</para>
</listitem>
<listitem>
<para>The interface has been disabled using the
<command>disable</command> command.</para>
</listitem>
</itemizedlist> </itemizedlist>
<para>May not be specified with <emphasis <para>May not be specified with <emphasis
@ -826,9 +839,9 @@ loc eth2 -</programlisting>
<important> <important>
<para>If ROUTE_FILTER=Yes in <ulink <para>If ROUTE_FILTER=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5), url="shorewall.conf.html">shorewall.conf</ulink>(5), or if
or if your distribution sets net.ipv4.conf.all.rp_filter=1 your distribution sets net.ipv4.conf.all.rp_filter=1 in
in <filename>/etc/sysctl.conf</filename>, then setting <filename>/etc/sysctl.conf</filename>, then setting
<emphasis role="bold">routefilter</emphasis>=0 in an <emphasis role="bold">routefilter</emphasis>=0 in an
<replaceable>interface</replaceable> entry will not disable <replaceable>interface</replaceable> entry will not disable
route filtering on that route filtering on that
@ -848,8 +861,8 @@ loc eth2 -</programlisting>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>If USE_DEFAULT_RT=Yes in <ulink <para>If USE_DEFAULT_RT=Yes in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) url="shorewall.conf.html">shorewall.conf</ulink>(5) and
and the interface is listed in <ulink the interface is listed in <ulink
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para> url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
</listitem> </listitem>