diff --git a/docs/CompiledPrograms.xml b/docs/CompiledPrograms.xml
new file mode 100644
index 000000000..aa1efc212
--- /dev/null
+++ b/docs/CompiledPrograms.xml
@@ -0,0 +1,204 @@
+
+
+
+
+
+
+ Compiled Firewall Programs
+
+
+
+ Tom
+
+ Eastep
+
+
+
+ 2006-02-27
+
+
+ 2006
+
+ Thomas M. Eastep
+
+
+
+ Permission is granted to copy, distribute and/or modify this
+ document under the terms of the GNU Free Documentation License, Version
+ 1.2 or any later version published by the Free Software Foundation; with
+ no Invariant Sections, with no Front-Cover, and with no Back-Cover
+ Texts. A copy of the license is included in the section entitled
+ GNU Free Documentation
+ License
.
+
+
+
+
+ Overview
+
+ Beginning with Shorewall version 3.1, Shorewall has the capability
+ to compile a Shorewall configuration and produce a runnable firewall
+ program script. The script is a complete program which can be placed in
+ the /etc/init.d/ directory on a system without Shorewall installed and can
+ serve as the firewall creation script for that system.
+
+ Compiled programs can also be created to instantiate special
+ configurations during parts of the day; for example, to disallow web
+ browsing between the hours of 9pm and 7AM. The program can be run as a
+ cron job at 9PM and another program run at 6AM to restore normal
+ operation.
+
+
+
+ The "shorewall compile" command
+
+ A compiled script is produced using the compile
+ command:
+
+
+ shorewall compile [ -e ] [ -d <distro> ] [
+ <directory name> ] <path name>
+
+
+ where
+
+
+
+
+ -e
+
+
+ Indicates that the program is to be "exported" to another
+ system. When this flag is set, the "detectnets" interface is not
+ allowed but the created program may be run on a system that
+ doesn't even have Shorewall installed.
+
+ When this flag is given, Shorewall does not probe the
+ current system to determine the kernel/iptables features that it
+ supports. It rather reads those capabilities from
+ /etc/shorewall/capabilities. See below for
+ details.
+
+
+
+
+ -d <distro>
+
+
+ is normally used with "-e" and specifies the Linux
+ distribution that is running on the remote system. The program
+ will be taylored so that it integrates with the intialization
+ script system (init) on that system. Distributions currently
+ supported are:
+
+
+ suse
+
+
+
+
+
+ <directory name>
+
+
+ specifies a directory to be searched for configuration files
+ before those directories listed in the CONFIG_PATH variable in
+ shorewall.conf.
+
+
+
+
+ <path name>
+
+
+ specifies the name of the script to be created.
+
+
+
+
+
+
+
+ The /etc/shorewall/capabilities file and the shorecap
+ program
+
+ As mentioned above, the /etc/shorewall/capabilities file specifies
+ that kernel/iptables capabilities of the target system. Here is a sample
+ file:
+
+
+ NAT_ENABLED=Yes # NAT
+MANGLE_ENABLED=Yes # Packet Mangling
+CONNTRACK_MATCH=Yes # Connection Tracking Match
+USEPKTTYPE= # Packet Type Match
+MULTIPORT=Yes # Multi-port Match
+XMULTIPORT=Yes # Extended Multi-port Match
+POLICY_MATCH=Yes # Policy Match
+PHYSDEV_MATCH=Yes # Physdev Match
+LENGTH_MATCH=Yes # Packet Length Match
+IPRANGE_MATCH=Yes # IP range Match
+RECENT_MATCH=Yes # Recent Match
+OWNER_MATCH=Yes # Owner match
+IPSET_MATCH= # Ipset Match
+CONNMARK=Yes # CONNMARK Target
+CONNMARK_MATCH=Yes # Connmark Match
+RAW_TABLE=Yes # Raw Table
+IPP2P_MATCH= # IPP2P Match
+CLASSIFY_TARGET=Yes # CLASSIFY Target
+ENHANCED_REJECT=Yes # Extended REJECT
+
+
+ As you can see, the file contains a simple list of shell variable
+ assignments -- the variables correspond to the capabilities listed by the
+ shorewall show capabilities command appear in the same
+ order as the output of that command.
+
+ To aid in creating this file, Shorewall 3.1 and later include a
+ shorecap program. The program is installed in the documentation directory
+ by the .rpm and is in the directory created when you untar the tarball. It
+ may be copied to /usr/bin on a remote system then run as follows:
+
+
+ shorecap > capabilities
+
+
+ The capabilities file may then be copied to a
+ system with Shorewall installed and used when compiling firewall programs
+ to run on the remote system.
+
+
+
+ Running compiled programs
+
+ Compiled firewall programs are complete programs that support the
+ following run-line commands:
+
+
+
+ <program> [ -q ] [ -v ] [ -n ]
+ start
+
+ <program> [ -q ] [ -v ] [ -n ]
+ stop
+
+ <program> [ -q ] [ -v ] [ -n ]
+ clear
+
+ <program> [ -q ] [ -v ] [ -n ]
+ restart
+
+ <program> [ -q ] [ -v ] [ -n ]
+ status
+
+ <program> [ -q ] [ -v ] [ -n ]
+ version
+
+
+
+ The options have their same meaning is when they are passed to
+ /sbin/shorewall itself. The default VERBOSITY level
+ is the level specified in the shorewall.conf file used when then program
+ was compiled.
+
+
\ No newline at end of file
diff --git a/docs/Documentation.xml b/docs/Documentation.xml
index b0c78fceb..db477c91f 100644
--- a/docs/Documentation.xml
+++ b/docs/Documentation.xml
@@ -378,11 +378,13 @@
- routes
+ capabilities
- file in /etc/shorewall that is used to interface to the
- experimental ROUTE target from Netfilter patch-o-matic-ng.
+ file in /etc/shorewall that is used to define the
+ iptables/kernel capabilities of a remote system. The file allows
+ firewall scripts compiled on one system to be taylored for a remote
+ system where the script will ultimately run.
@@ -1900,6 +1902,14 @@ ACCEPT:info - - tc
Protocol. Must be a protocol name from /etc/protocols, a
number, or all
. Specifies the protocol of the
connection request.
+
+ In the ESTABLISHED and RELATED sections, may also be "ipp2p",
+ "ipp2p:udp", "ipp2p:all"; requires ipp2p match support in your
+ kernel and iptables.
+
+ Beginning with Shorewall 3.1, you may also specify "tcp:syn"
+ in this column. This is equivalent to "tcp" but also requires that
+ the SYN flag be set and the FIN, ACK and RST flags be reset.
diff --git a/docs/MAC_Validation.xml b/docs/MAC_Validation.xml
index b2f75cc71..35476d193 100644
--- a/docs/MAC_Validation.xml
+++ b/docs/MAC_Validation.xml
@@ -15,7 +15,7 @@
- 2005-10-13
+ 2006-02-27
2001-2005
@@ -160,6 +160,17 @@
The columns in /etc/shorewall/maclist are:
+
+ DISPOSITION (Added in Shorewall version 3.1)
+
+
+ Must be ACCEPT, DROP or REJECT (REJECT may not be specified if
+ MACLIST_TABLE=mangle). May be
+ optionally followed by ":" and a log level to cause packets matching
+ the rule to be logged.
+
+
+
INTERFACE
@@ -175,8 +186,9 @@
The MAC address of a device on the ethernet segment connected
by INTERFACE. It is not necessary to use the Shorewall MAC format in
- this column although you may use that format if you so
- choose.
+ this column although you may use that format if you so choose.
+ Beginning with Shorewall 3.1, you may specify "-" here if you enter
+ an IP address in the next column.