Try to avoid TC confusion

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9401 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

docs/configuration_file_basics.xml

@@ -941,6 +941,11 @@ Shorewall has detected the following iptables/netfilter capabilities:
         been eliminated and the Shorewall-perl compiler uses Perl's interfaces
         to getprotobyname(3posix) and getservbyname(3posix).</para>
       </note></para>
+
+    <para>Also, unless otherwise documented, a protocol number/name can be
+    preceded by '!' to specify "All protocols except this one" (e.g., "!tcp").
+    Shorewall-perl support for that feature was added in Shorewall
+    4.2.6.</para>
   </section>
 
   <section id="Ranges">
@@ -956,6 +961,11 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
 
     <para>If you omit the low port number, a value of zero is assumed; if you
     omit the high port number, a value of 65535 is assumed.</para>
+
+    <para>Also, unless otherwise documented, a port range can be preceded by
+    '!' to specify "All ports except those in this range" (e.g.,
+    "!4000:4100"). Shorewall-perl support for that feature was added in
+    Shorewall 4.2.6.</para>
   </section>
 
   <section id="Portlists">
@@ -993,6 +1003,10 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
       versions earlier than 4.0.5 will never break a list longer than 15 ports
       (with each range counting as two ports) into smaller lists.</para>
     </note>
+
+    <para>Also, unless otherwise documented, a port list can be preceded by
+    '!' to specify "All ports except these" (e.g., "!80,443"). Shorewall-perl
+    support for that feature was added in Shorewall 4.2.6.</para>
   </section>
 
   <section id="MAC">

docs/traffic_shaping.xml

@@ -686,7 +686,10 @@ ppp0           6000kbit         500kbit</programlisting>
 
           <note>
             <para>The "T" qualifier was added in Shorewall version 3.3.6 and
-            is not available in earlier versions.</para>
+            is not available in earlier versions. <emphasis role="bold">Use
+            this qualifier if you want the rule to apply equally to traffic
+            being routed through the firewall and to traffic originating on
+            the firewall itself.</emphasis></para>
           </note>
 
           <para>Normally, the mark is applied to the packet. If you follow the
@@ -780,35 +783,78 @@ ppp0           6000kbit         500kbit</programlisting>
         </listitem>
 
         <listitem>
-          <para>SOURCE - Source of the packet. A comma-separated list of
+          <para>SOURCE - Source of the packet. </para>
-          interface names, IP addresses, MAC addresses and/or subnets for
-          packets being routed through a common path. List elements may also
-          consist of an interface name followed by ":" and an address (e.g.,
-          eth1:192.168.1.0/24). For example, all packets for connections
-          masqueraded to eth0 from other interfaces can be matched in a single
-          rule with several alternative SOURCE criteria. However, a connection
-          whose packets gets to eth0 in a different way, e.g., direct from the
-          firewall itself, needs a different rule.</para>
 
-          <para>Accordingly, use $FW in its own separate rule for packets
+          <para>May be:</para>
-          originating on the firewall. In such a rule, the MARK column may NOT
+
-          specify either ":P" or ":F" because marking for firewall-originated
+          <orderedlist>
-          packets always occurs in the OUTPUT chain.</para>
+            <listitem>
+              <para>An interface name - matches traffic entering the firewall
+              on the specified interface. May not be used in classify rules or
+              in rules using the :T chain qualifier.</para>
+            </listitem>
+
+            <listitem>
+              <para>A comma-separated list of host or network IP addresses or
+              MAC addresses. <emphasis role="bold">This form will not match
+              traffic that originates on the firewall itself unless either
+              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
+              the MARK column.</emphasis></para>
+
+              <para>Examples:<simplelist>
+                  <member>0.0.0.0/0</member>
+                </simplelist></para>
+
+              <para><simplelist>
+                  <member>192.168.1.0/24, 172.20.4.0/24</member>
+                </simplelist></para>
+            </listitem>
+
+            <listitem>
+              <para>An interface name followed by a colon (":") followed by a
+              comma-separated list of host or network IP addresses or MAC
+              addresses. May not be used in classify rules or in rules using
+              the :T chain qualifier.</para>
+            </listitem>
+
+            <listitem>
+              <para>$FW optionally followed by a colon (":") and a
+              comma-separated list of host or network IP addresses. matches
+              packets originating on the firewall. May not be used with a
+              chain qualifier (:P, :F, etc.) in the MARK column.</para>
+            </listitem>
+          </orderedlist>
 
           <para>MAC addresses must be prefixed with "~" and use "-" as a
           separator.</para>
 
           <para>Example: ~00-A0-C9-15-39-78</para>
+
+          <para>If your kernel includes iprange match support, then address
+          ranges may be included in the address lists.</para>
         </listitem>
 
         <listitem>
-          <para>DEST - Destination of the packet. Comma separated list of IP
+          <para>DEST - Destination of the packet. </para>
-          addresses and/or subnets. If your kernel and iptables include
+
-          iprange match support, IP address ranges are also allowed. List
+          <para>May be:</para>
-          elements may also consist of an interface name followed by ":" and
+
-          an address (e.g., eth1:192.168.1.0/24). If the MARK column specifies
+          <orderedlist>
-          a classification of the form &lt;major&gt;:&lt;minor&gt; then this
+            <listitem>
-          column may also contain an interface name.</para>
+              <para>An interface name. May not be used in the PREROUTING chain
+              (:P in the mark column or no chain qualifier and
+              MARK_IN_FORWARD_CHAIN=No in <ulink
+              url="manpages/shorewall.conf">shorewall.conf</ulink> (5)). The
+              interface name may be optionally followed by a colon (":") and
+              an IP address list.</para>
+            </listitem>
+
+            <listitem>
+              <para>A comma-separated list of host or network IP addresses.
+              The list may include ip address ranges if your kernel and
+              iptables include iprange support.</para>
+            </listitem>
+          </orderedlist>
         </listitem>
 
         <listitem>
@@ -949,11 +995,11 @@ ppp0           6000kbit         500kbit</programlisting>
       <example id="Example2">
         <title></title>
 
-        <para>All GRE (protocol 47) packets not originating on the firewall
+        <para>All GRE (protocol 47) packets destined for 155.186.235.151
-        and destined for 155.186.235.151 should be marked with 12.</para>
+        should be marked with 12.</para>
 
         <programlisting>#MARK   SOURCE    DESTINATION     PROTOCOL   PORT(S)
-12      0.0.0.0/0 155.182.235.151 47</programlisting>
+12:T    0.0.0.0/0 155.182.235.151 47</programlisting>
       </example>
 
       <example id="Example3">
@@ -963,7 +1009,7 @@ ppp0           6000kbit         500kbit</programlisting>
         destined for 155.186.235.151 should be marked with 22.</para>
 
         <programlisting>#MARK   SOURCE         DESTINATION     PROTOCOL   PORT(S)
-22      192.168.1.0/24 155.182.235.151 tcp        22</programlisting>
+22:T    192.168.1.0/24 155.182.235.151 tcp        22</programlisting>
       </example>
 
       <example id="Example4">
@@ -989,7 +1035,8 @@ ppp0           6000kbit         500kbit</programlisting>
         ipp2p module is unable to determine all packets in a connection are
         P2P packets, we mark the entire connection as P2P if any of the
         packets are determined to match. We assume packet/connection mark 0 to
-        means unclassified.</para>
+        means unclassified. Traffic originating on the firewall is not covered
+        by this example.</para>
 
         <programlisting>#MARK    SOURCE         DESTINATION     PROTOCOL   PORT(S)       CLIENT   USER/     TEST
 #                                                                PORT(S)  GROUP

manpages/shorewall-blacklist.xml

@@ -1,4 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
   <refmeta>
     <refentrytitle>shorewall-blacklist</refentrytitle>
@@ -52,7 +54,7 @@
       <varlistentry>
         <term><emphasis role="bold">PROTOCOL</emphasis> (Optional) -
         {<emphasis
-        role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>}</term>
+        role="bold">-</emphasis>|[!]<emphasis>protocol-number</emphasis>|[!]<emphasis>protocol-name</emphasis>}</term>
 
         <listitem>
           <para>If specified, must be a protocol number or a protocol name
@@ -62,7 +64,7 @@
 
       <varlistentry>
         <term><emphasis role="bold">PORTS</emphasis> (Optional) - {<emphasis
-        role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
+        role="bold">-</emphasis>|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>
 
         <listitem>
           <para>May only be specified if the protocol is TCP (6) or UDP (17).

manpages/shorewall-masq.xml

@@ -215,7 +215,7 @@
 
       <varlistentry>
         <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
-        role="bold">-</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}</term>
+        role="bold">-</emphasis>|[!]<emphasis>protocol-name</emphasis>|[!]<emphasis>protocol-number</emphasis>}</term>
 
         <listitem>
           <para>If you wish to restrict this entry to a particular protocol
@@ -226,7 +226,7 @@
 
       <varlistentry>
         <term><emphasis role="bold">PORT(S)</emphasis> (Optional) -
-        [<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...]</term>
+        [[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...]</term>
 
         <listitem>
           <para>If the PROTO column specifies TCP (protocol 6) or UDP

manpages/shorewall-tcrules.xml

@@ -256,22 +256,45 @@
         role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
-          <para>Source of the packet. A comma-separated list of interface
+          <para>May be:</para>
-          names, IP addresses, MAC addresses and/or subnets for packets being
-          routed through a common path. List elements may also consist of an
-          interface name followed by ":" and an address (e.g.,
-          eth1:192.168.1.0/24). For example, all packets for connections
-          masqueraded to eth0 from other interfaces can be matched in a single
-          rule with several alternative SOURCE criteria. However, a connection
-          whose packets gets to eth0 in a different way, e.g., direct from the
-          firewall itself, needs a different rule.</para>
 
-          <para>Accordingly, use $<emphasis role="bold">FW</emphasis> in its
+          <orderedlist>
-          own separate rule for packets originating on the firewall. In such a
+            <listitem>
-          rule, the MARK column may NOT specify either <emphasis
+              <para>An interface name - matches traffic entering the firewall
-          role="bold">:P</emphasis> or <emphasis role="bold">:F</emphasis>
+              on the specified interface. May not be used in classify rules or
-          because marking for firewall-originated packets always occurs in the
+              in rules using the :T chain qualifier.</para>
-          OUTPUT chain.</para>
+            </listitem>
+
+            <listitem>
+              <para>A comma-separated list of host or network IP addresses or
+              MAC addresses. <emphasis role="bold">This form will not match
+              traffic that originates on the firewall itself unless either
+              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
+              the MARK column.</emphasis></para>
+
+              <para>Examples:<simplelist>
+                  <member>0.0.0.0/0</member>
+                </simplelist></para>
+
+              <para><simplelist>
+                  <member>192.168.1.0/24, 172.20.4.0/24</member>
+                </simplelist></para>
+            </listitem>
+
+            <listitem>
+              <para>An interface name followed by a colon (":") followed by a
+              comma-separated list of host or network IP addresses or MAC
+              addresses. May not be used in classify rules or in rules using
+              the :T chain qualifier.</para>
+            </listitem>
+
+            <listitem>
+              <para>$FW optionally followed by a colon (":") and a
+              comma-separated list of host or network IP addresses. Matches
+              packets originating on the firewall. May not be used with a
+              chain qualifier (:P, :F, etc.) in the MARK column.</para>
+            </listitem>
+          </orderedlist>
 
           <para>MAC addresses must be prefixed with "~" and use "-" as a
           separator.</para>
@@ -290,14 +313,24 @@
         role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
-          <para>Destination of the packet. Comma separated list of IP
+          <para>May be:</para>
-          addresses and/or subnets. If your kernel and iptables include
+
-          iprange match support, IP address ranges are also allowed. List
+          <orderedlist>
-          elements may also consist of an interface name followed by ":" and
+            <listitem>
-          an address (e.g., eth1:192.168.1.0/24). If the <emphasis
+              <para>An interface name. May not be used in the PREROUTING chain
-          role="bold">MARK</emphasis> column specificies a classification of
+              (:P in the mark column or no chain qualifier and
-          the form <emphasis>major</emphasis>:<emphasis>minor</emphasis> then
+              MARK_IN_FORWARD_CHAIN=No in <ulink
-          this column may also contain an interface name.</para>
+              url="manpages/shorewall.conf">shorewall.conf</ulink> (5)). The
+              interface name may be optionally followed by a colon (":") and
+              an IP address list.</para>
+            </listitem>
+
+            <listitem>
+              <para>A comma-separated list of host or network IP addresses.
+              The list may include ip address ranges if your kernel and
+              iptables include iprange support.</para>
+            </listitem>
+          </orderedlist>
 
           <para>You may exclude certain hosts from the set already defined
           through use of an <emphasis>exclusion</emphasis> (see <ulink
@@ -532,8 +565,8 @@
               directions.</para>
             </blockquote></para>
 
-          <para>If omitted, <emphasis role="bold">B</emphasis> is assumed.
+          <para>If omitted, <emphasis role="bold">B</emphasis> is
-          </para>
+          assumed.</para>
 
           <para>The second letter determines what the range refers
           to.<blockquote>
@@ -564,7 +597,7 @@
           <para>Example: Mark all FTP data connections with mark
           4:<programlisting>#MARK/    SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
 #CLASSIFY                                        PORT(S)
-4         0.0.0.0/0 0.0.0.0/0 TCP     -          -       -    -    -      -   -         ftp</programlisting></para>
+4:T       0.0.0.0/0 0.0.0.0/0 TCP     -          -       -    -    -      -   -         ftp</programlisting></para>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -590,12 +623,12 @@
 
           <programlisting>       #MARK/     SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
        #CLASSIFY                                               PORT(S)
-       1         0.0.0.0/0 0.0.0.0/0    icmp    echo-request
+       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-request
-       1         0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
+       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
-       RESTORE   0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
+       RESTORE:T  0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
-       CONTINUE  0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0
+       CONTINUE:T 0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0
-       4         0.0.0.0/0 0.0.0.0/0    ipp2p:all
+       4:T         0.0.0.0/0 0.0.0.0/0   ipp2p:all
-       SAVE      0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0</programlisting>
+       SAVE:T      0.0.0.0/0 0.0.0.0/0   all     -             -       -       !0</programlisting>
 
           <para>If a packet hasn't been classifed (packet mark is 0), copy the
           connection mark to the packet mark. If the packet mark is set, we're