extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-08 00:34:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

More formatting fixes for manpages

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7311 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-09-10 15:38:01 +00:00
parent 428f4aabf1
commit a06ad0e518
7 changed files with 118 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
manpages/shorewall-interfaces.xml
View File

@ -137,6 +137,8 @@ loc eth2 -</programlisting>
will be the value specified (if any) or 1 if no value is
given.</para>
<para></para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
@ -168,12 +170,16 @@ loc eth2 -</programlisting>
<para>8 - do not reply for all local addresses</para>
<para></para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
the INTERFACE column.</para>
</note>
<para></para>
<warning>
<para>Do not specify <emphasis
role="bold">arp_ignore</emphasis> for any interface involved
@ -210,6 +216,8 @@ loc eth2 -</programlisting>
to include only those hosts routed through the
interface.</para>
<para></para>
<warning>
<para>Do not set the <emphasis
role="bold">detectnets</emphasis> option on your internet
@ -281,6 +289,8 @@ loc eth2 -</programlisting>
1
teastep@lists:~$ </programlisting>
<para></para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
@ -368,20 +378,26 @@ loc eth2 -</programlisting>
</listitem>
</itemizedlist>
<para>I specify <option>optional</option> on interfaces to Xen
virtual machines that may or may not be running when Shorewall
is [re]started.</para>
<para></para>
<caution>
<para>Use <option>optional</option> at your own risk. If you
[re]start Shorewall when an 'optional' interface is not
available and then do a <command>shorewall save</command>,
subsequent <command>shorewall restore</command> and
<command>shorewall -f start</command> operations will
instantiate a ruleset that does not support that interface,
even if it is available at the time of the
restore/start.</para>
</caution>
<blockquote>
<para>I specify <option>optional</option> on interfaces to
Xen virtual machines that may or may not be running when
Shorewall is [re]started.</para>
<para></para>
<caution>
<para>Use <option>optional</option> at your own risk. If
you [re]start Shorewall when an 'optional' interface is
not available and then do a <command>shorewall
save</command>, subsequent <command>shorewall
restore</command> and <command>shorewall -f
start</command> operations will instantiate a ruleset that
does not support that interface, even if it is available
at the time of the restore/start.</para>
</caution>
</blockquote>
</listitem>
</varlistentry>
@ -397,12 +413,14 @@ loc eth2 -</programlisting>
This option is intended solely for use with Proxy ARP
sub-networking as described at: <ulink
url="http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html">http://tldp.org/HOWTO/Proxy-ARP-Subnet/index.html.
</ulink><note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+)
in the INTERFACE column.</para>
</note>The option value (0 or 1) may only be specified if
you are using Shorewall-perl. With Shorewall-perl, only those
</ulink></para>
<para><emphasis role="bold">Note</emphasis>: This option does
not work with a wild-card <replaceable>interface</replaceable>
name (e.g., eth0.+) in the INTERFACE column.</para>
<para>The option value (0 or 1) may only be specified if you
are using Shorewall-perl. With Shorewall-perl, only those
interfaces with the <option>proxyarp</option> option will have
their setting changes; the value assigned to the setting will
be the value specified (if any) or 1 if no value is
@ -438,6 +456,8 @@ loc eth2 -</programlisting>
will be the value specified (if any) or 1 if no value is
given.</para>
<para></para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in
@ -472,6 +492,8 @@ loc eth2 -</programlisting>
will be the value specified (if any) or 1 if no value is
given.</para>
<para></para>
<note>
<para>This option does not work with a wild-card
<replaceable>interface</replaceable> name (e.g., eth0.+) in

2
manpages/shorewall-providers.xml
View File

@ -108,6 +108,8 @@
listed in <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
<para></para>
<caution>
<para>The Shorewall implementation of Multi-ISP support assumes
that each provider has its own interface.</para>

4
manpages/shorewall-tcclasses.xml
View File

@ -207,6 +207,8 @@
<para>This is the default class for that interface where all
traffic should go, that is not classified otherwise.</para>
<para></para>
<note>
<para>You must define <emphasis
role="bold">default</emphasis> for exactly one class per
@ -265,6 +267,8 @@
limited to 64 bytes because we want only packets WITHOUT
payload to match.</para>
<para></para>
<note>
<para>This option is only valid for ONE class per
interface.</para>

2
manpages/shorewall-tcdevices.xml
View File

@ -140,6 +140,8 @@
speed you can refer as "full" if you define the tc classes in <ulink
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).
Outgoing traffic above this rate will be dropped.</para>
<para></para>
</listitem>
</varlistentry>
</variablelist>

20
manpages/shorewall-tcrules.xml
View File

@ -95,20 +95,14 @@
nor <emphasis role="bold">:T</emphasis> follow the mark value
then the chain is determined as follows:</para>
<itemizedlist>
<listitem>
<para>If the SOURCE is <emphasis
role="bold">$FW</emphasis>[<emphasis
role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
then the rule is inserted into the OUTPUT chain.</para>
</listitem>
<para>- If the SOURCE is <emphasis
role="bold">$FW</emphasis>[<emphasis
role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
then the rule is inserted into the OUTPUT chain.</para>
<listitem>
<para>Otherwise, the chain is determined by the setting of
MARK_IN_FORWARD_CHAIN in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</itemizedlist>
<para>- Otherwise, the chain is determined by the setting of
MARK_IN_FORWARD_CHAIN in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
<para>If your kernel and iptables include CONNMARK support then
you can also mark the connection rather than the packet.</para>

89
manpages/shorewall.conf.xml
View File

@ -295,7 +295,10 @@
<listitem>
<para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
role="bold">yes</emphasis>, enables Shorewall Bridging support.<note>
role="bold">yes</emphasis>, enables Shorewall Bridging
support.</para>
<para><note>
<para>BRIDGING=Yes may not work properly with Linux kernel
2.6.20 or later and is not supported by Shorewall-perl.</para>
</note></para>
@ -316,10 +319,8 @@
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
the feature is not enabled.</para>
<note>
<para>This option requires CONFIG_IP_NF_TARGET_TCPMSS in your
kernel.</para>
</note>
<para><emphasis role="bold">Important</emphasis>: This option
requires CONFIG_IP_NF_TARGET_TCPMSS in your kernel.</para>
<para>You may also set CLAMPMSS to a numeric
<emphasis>value</emphasis> (e.g., CLAMPMSS=1400). This will set the
@ -370,15 +371,19 @@
</listitem>
</itemizedlist>
<para>If CONFIG_PATH is not given or if it is set to the empty value
then the contents of /usr/share/shorewall/configpath are used. As
released from shorewall.net, that file sets the CONFIG_PATH to
/etc/shorewall:/usr/share/shorewall but your particular distribution
may set it differently. See the output of shorewall show config for
the default on your system.</para>
<blockquote>
<para></para>
<para>Note that the setting in /usr/share/shorewall/configpath is
always used to locate shorewall.conf.</para>
<para>If CONFIG_PATH is not given or if it is set to the empty
value then the contents of /usr/share/shorewall/configpath are
used. As released from shorewall.net, that file sets the
CONFIG_PATH to /etc/shorewall:/usr/share/shorewall but your
particular distribution may set it differently. See the output of
shorewall show config for the default on your system.</para>
<para>Note that the setting in /usr/share/shorewall/configpath is
always used to locate shorewall.conf.</para>
</blockquote>
</listitem>
</varlistentry>
@ -490,6 +495,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
or RELATED sections of <ulink
url="shorewall-rules.html">shorewall-rules</ulink>(5).</para>
<para></para>
<note>
<para>FASTACCEPT=Yes is incompatible with
BLACKLISTNEWONLY=No.</para>
@ -608,8 +615,12 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</varlistentry>
</variablelist>
<para>If this variable is not set or is given an empty value
(IP_FORWARD="") then IP_FORWARD=On is assumed.</para>
<para></para>
<blockquote>
<para>If this variable is not set or is given an empty value
(IP_FORWARD="") then IP_FORWARD=On is assumed.</para>
</blockquote>
</listitem>
</varlistentry>
@ -711,23 +722,29 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</itemizedlist>
<para>For example, using the default LOGFORMAT, the log prefix for
logging from the nat table's PREROUTING chain is:</para>
<para></para>
<programlisting> Shorewall:nat:PREROUTING
<blockquote>
<para>For example, using the default LOGFORMAT, the log prefix for
logging from the nat table's PREROUTING chain is:</para>
<programlisting> Shorewall:nat:PREROUTING
</programlisting>
<important>
<para>There is no rate limiting on these logging rules so use
LOGALLNEW at your own risk; it may cause high CPU and disk
utilization and you may not be able to control your firewall after
you enable this option.</para>
</important>
<important>
<para>There is no rate limiting on these logging rules so use
LOGALLNEW at your own risk; it may cause high CPU and disk
utilization and you may not be able to control your firewall
after you enable this option.</para>
</important>
<caution>
<para>Do not use this option if the resulting log messages will be
sent to another system.</para>
</caution>
<para></para>
<caution>
<para>Do not use this option if the resulting log messages will
be sent to another system.</para>
</caution>
</blockquote>
</listitem>
</varlistentry>
@ -910,6 +927,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
MAPOLDACTIONS=Yes. If this option is not set or is set to the empty
value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed.</para>
<para></para>
<note>
<para>MAPOLDACTIONS=Yes is not supported by Shorewall-perl. With
Shorewall-perl, if MAPOLDACTIONS is not set or is set to the ampty
@ -1040,10 +1059,14 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</orderedlist>
<para>If you are experiencing either of these problems, setting
PKTTYPE=No will prevent Shorewall from trying to use the packet type
match extension and to use IP address matching to determine which
packets are broadcasts or multicasts.</para>
<para></para>
<blockquote>
<para>If you are experiencing either of these problems, setting
PKTTYPE=No will prevent Shorewall from trying to use the packet
type match extension and to use IP address matching to determine
which packets are broadcasts or multicasts.</para>
</blockquote>
</listitem>
</varlistentry>
@ -1177,6 +1200,8 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<para>If not specified or specified as empty (e.g.,
RFC1918_STRICT="") then RFC1918_STRICT=No is assumed.</para>
<para></para>
<warning>
<para>RFC1918_STRICT=Yes requires that your kernel and iptables
support 'Connection Tracking' match.</para>

10
manpages/shorewall.xml
View File

@ -840,11 +840,11 @@
the command while <command>restart</command> recreates the entire
Netfilter ruleset. If no <replaceable>chain</replaceable> is given,
the static blacklisting chain <emphasis
role="bold">blacklst</emphasis> is assumed.<note>
<para>Specifying chains in the command requires Shorewall-perl
4.0.3 or later. Earlier versions only refresh the <emphasis
role="bold">blacklst</emphasis> chain.</para>
</note></para>
role="bold">blacklst</emphasis> is assumed.</para>
<para><emphasis role="bold">Note</emphasis>: Specifying chains in
the command requires Shorewall-perl 4.0.3 or later. Earlier versions
only refresh the blacklst chain</para>
<para>The listed chains are assumed to be in the filter table. You
can refresh chains in other tables by prefixing the chain name with