Update 3.0 docs for cmd-owner removal in kernel 2.6.14

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2955 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-22 07:33:43 +01:00 · 2005-11-03 15:30:41 +00:00 · 2005-11-03 15:30:41 +00:00 · 85af2b901a
commit 85af2b901a
parent 0163b261ab
5 changed files with 57 additions and 29 deletions
--- a/Shorewall-docs2/Accounting.xml
+++ b/Shorewall-docs2/Accounting.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>

-    <pubdate>2005-09-16</pubdate>
+    <pubdate>2005-11-02</pubdate>

    <copyright>
      <year>2003-2005</year>
@ -129,7 +129,7 @@
      <para><emphasis role="bold">USER/GROUP</emphasis> - This column may only
      be non-empty if the CHAIN is OUTPUT. The column may contain:</para>

-      <programlisting> [!][&lt;user name or number&gt;][:&lt;group name or number&gt;]</programlisting>
+      <programlisting> [!][&lt;user name or number&gt;][:&lt;group name or number&gt;][+&lt;program name&gt;]</programlisting>

      <para>When this column is non-empty, the rule applies only if the
      program generating the output is running under the effective
@ -146,6 +146,9 @@

        <member>!:kids #program must not be run by a member of the 'kids'
        group</member>
+
+        <member>+upnpd #program named upnpd (This feature was removed from
+        Netfilter in kernel version 2.6.14).</member>
      </simplelist>
    </listitem>
  </itemizedlist>
--- a/Shorewall-docs2/Actions.xml
+++ b/Shorewall-docs2/Actions.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>

-    <pubdate>2005-10-02</pubdate>
+    <pubdate>2005-11-02</pubdate>

    <copyright>
      <year>2005</year>
@ -363,6 +363,10 @@ Reject:REJECT   #Common Action for REJECT policy</programlisting>

          <member>[!]&lt;<emphasis>user
          name</emphasis>&gt;:&lt;<emphasis>group name</emphasis>&gt;</member>
+
+          <member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note: support
+          for this form was removed from Netfilter in kernel version
+          2.6.14).</member>
        </simplelist>
      </listitem>
    </itemizedlist>
--- a/Shorewall-docs2/Documentation.xml
+++ b/Shorewall-docs2/Documentation.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>

-    <pubdate>2005-10-13</pubdate>
+    <pubdate>2005-11-02</pubdate>

    <copyright>
      <year>2001-2005</year>
@ -2007,9 +2007,23 @@ ACCEPT<emphasis role="bold">:info</emphasis>   -              -               tc

        <listitem>
          <para>Output rules from the firewall itself may be restricted to a
-          particular set of users and/or user groups. See the <ulink
-          url="UserSets.html">User Set Documentation</ulink> for
-          details.</para>
+          particular user or group.</para>
+
+          <para>The column may contain:</para>
+
+          <programlisting>       [!][&lt;user name or number&gt;][:&lt;group name or number&gt;][+&lt;program name&gt;]</programlisting>
+
+          <para>When this column is non-empty, the rule applies only if the
+          program generating the output is running under the effective
+          &lt;user&gt; and/or &lt;group&gt; specified (or is NOT running under
+          that id if "!" is given). </para>
+
+          <para>Examples:</para>
+
+          <programlisting>joe     #program must be run by joe
+:kids   #program must be run by a member of the 'kids' group
+!:kids  #program must not be run by a member of the 'kids' group
+upnpd  #program named upnpd (This feature was removed from Netfilter in kernel version 2.6.14).</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall-docs2/Macros.xml
+++ b/Shorewall-docs2/Macros.xml
@ -21,7 +21,7 @@
      </author>
    </authorgroup>

-    <pubdate>2005-10-01</pubdate>
+    <pubdate>2005-11-02</pubdate>

    <copyright>
      <year>2005</year>
@ -394,6 +394,10 @@ DNAT:info        net      loc:192.168.1.5 tcp      25</programlisting>

          <member>[!]&lt;<emphasis>user
          name</emphasis>&gt;:&lt;<emphasis>group name</emphasis>&gt;</member>
+
+          <member>[!]+&lt;<emphasis>program name</emphasis>&gt; (Note: support
+          for this form was removed from Netfilter in kernel version
+          2.6.14).</member>
        </simplelist>
      </listitem>
    </itemizedlist>
--- a/Shorewall-docs2/traffic_shaping.xml
+++ b/Shorewall-docs2/traffic_shaping.xml
@ -294,18 +294,23 @@
        </listitem>

        <listitem>
-          <para>USER (Added in Shorewall version 1.4.10) - (Optional) This
-          column may only be non-empty if the SOURCE is the firewall itself.
-          When this column is non-empty, the rule applies only if the program
-          generating the output is running under the effective user and/or
-          group. It may contain :</para>
+          <para>USER/GROUP (Added in Shorewall version 1.4.10) - (Optional)
+          This column may only be non-empty if the SOURCE is the firewall
+          itself. When this column is non-empty, the rule applies only if the
+          program generating the output is running under the effective user
+          and/or group. It may contain :</para>

-          <para>[&lt;user name or number&gt;]:[&lt;group name or
-          number&gt;]</para>
+          <para>[!][&lt;user name or number&gt;]:[&lt;group name or
+          number&gt;][+&lt;program name&gt;]</para>

          <para>The colon is optionnal when specifying only a user.</para>

-          <para>Examples : john: / john / :users / john:users</para>
+          <para>Examples:</para>
+
+          <programlisting>joe     #program must be run by joe
+:kids   #program must be run by a member of the 'kids' group
+!:kids  #program must not be run by a member of the 'kids' group
+upnpd  #program named upnpd (This feature was removed from Netfilter in kernel version 2.6.14).</programlisting>
        </listitem>
      </itemizedlist>

@ -500,22 +505,20 @@ ppp0           6000kbit         500kbit</programlisting>
    <section>
      <title>ppp devices</title>

-      <para>If you use ppp/pppoe/pppoa) to connect to your internet provider 
-	and you use traffic shaping you need to restart shorewall traffic
-	shaping. The reason for this is, that if the ppp connection gets 
-	restartet (and it usally does this at least daily), all <quote>tc</quote> 
-	filters/qdiscs related to that interface are deleted.</para>
-    
-      <para>The easiest way to achieve this, is just to restart shorewall
-	once the link is up. To achieve this add a small executable 
-	script to<quote>/etc/ppp/ip-up.d</quote>.</para>
+      <para>If you use ppp/pppoe/pppoa) to connect to your internet provider
+      and you use traffic shaping you need to restart shorewall traffic
+      shaping. The reason for this is, that if the ppp connection gets
+      restartet (and it usally does this at least daily), all
+      <quote>tc</quote> filters/qdiscs related to that interface are
+      deleted.</para>
+
+      <para>The easiest way to achieve this, is just to restart shorewall once
+      the link is up. To achieve this add a small executable script
+      to<quote>/etc/ppp/ip-up.d</quote>.</para>

      <programlisting>#! /bin/sh

 /sbin/shorewall restart</programlisting>
-
-
-
    </section>

    <section>
@ -711,4 +714,4 @@ ppp0            4       90kbit          200kbit         3           default</pro
      </orderedlist>
    </section>
  </section>
-</article>
+</article>