diff --git a/Shorewall/manpages/shorewall-addresses.xml b/Shorewall/manpages/shorewall-addresses.xml index f2e386e77..918927b4e 100644 --- a/Shorewall/manpages/shorewall-addresses.xml +++ b/Shorewall/manpages/shorewall-addresses.xml @@ -107,6 +107,10 @@ INTERFACE — The name of an interface that matches an entry in /etc/shorewall/interfaces (/etc/shorewall6/interfaces). + + Beginning with Shorweall 5.2.1, the + interface may be preceded with '!' which + matches all interfaces except the one specified. @@ -157,7 +161,7 @@ The primary IP address of eth0 in the $FW zone - $FW:&eth0 + role="bold">$FW:&eth0 @@ -175,7 +179,7 @@ support, you may use IP address ranges in Shorewall configuration file entries; IP address ranges have the syntax <low IP address>-<high IP - address>. + address>. Example: 192.168.1.5-192.168.1.12. diff --git a/Shorewall/manpages/shorewall-mangle.xml b/Shorewall/manpages/shorewall-mangle.xml index aa5cc2f0b..6f94697b2 100644 --- a/Shorewall/manpages/shorewall-mangle.xml +++ b/Shorewall/manpages/shorewall-mangle.xml @@ -857,15 +857,20 @@ Normal-Service => 0x00 - interface + [!]interface where interface is the - logical name of an interface defined in interface + defined in shorewall-interfaces(5). Matches packets entering the firewall from the named interface. May not be used in CLASSIFY rules or in rules using the :T chain qualifier. + + Beginning with Shorweall 5.2.1, the + interface may be preceded with '!' + which matches all interfaces except the one specified. @@ -899,23 +904,31 @@ Normal-Service => 0x00 - interface:address,[...][exclusion] + [!]interface:address,[...][exclusion] This form combines the preceding two forms and matches when both the incoming interface and source IP address match. + + Beginning with Shorweall 5.2.1, the + interface may be preceded with '!' + which matches all interfaces except the one specified. - interface:exclusion + [!]interface:exclusion This form matches packets arriving through the named interface and whose source IP address does not match any of the addresses in the exclusion. + + Beginning with Shorweall 5.2.1, the + interface may be preceded with '!' + which matches all interfaces except the one specified. diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index 6c8831edd..d2be15882 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -461,8 +461,7 @@ Added in Shorewall 4.5.16. This action allows you to construct most of the rule yourself using iptables syntax. The - part that you specify must follow two semicolons (';;') - and is + part that you specify must follow two semicolons (';;') and is completely free-form. If the target of the rule (the part following 'j') is something that Shorewall supports in the ACTION column, then you may enclose it in parentheses (e.g., @@ -1046,7 +1045,7 @@ - zone:interface + zone:[!]interface When this form is used, @@ -1059,6 +1058,11 @@ Only packets from hosts in the zone that arrive through the named interface will match the rule. + + Beginning with Shorweall 5.2.1, the + interface may be preceded with '!' + which matches all interfaces associated with the zone except + the one specified. @@ -1397,7 +1401,7 @@ - zone:interface + zone:[!]interface When this form is used, @@ -1410,6 +1414,11 @@ Only packets to hosts in the zone that are sent through the named interface will match the rule. + + Beginning with Shorweall 5.2.1, the + interface may be preceded with '!' + which matches all interfaces associated with the zone except + the one specified. @@ -1463,12 +1472,17 @@ - zone:interface:address[,...] + zone:[!]interface:address[,...] This form combines the preceding two and requires that both the outgoing interface and destinationaddress match. + + Beginning with Shorweall 5.2.1, the + interface may be preceded with '!' + which matches all interfaces associated with the zone except + the one specified. @@ -1483,7 +1497,7 @@ - zone:interface:exclusion + zone:[!]interface:exclusion This form matches packets to the named @@ -1491,6 +1505,11 @@ interface where the destination address does not match any entry in the exclusion. + + Beginning with Shorweall 5.2.1, the + interface may be preceded with '!' + which matches all interfaces associated with the zone except + the one specified.