Update samples with latest documentary comments

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2894 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Samples/one-interface/interfaces

@@ -113,28 +113,7 @@
 #				sub-networking as described at:
 #				http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
 #
-#			newnotsyn    - TCP packets that don't have the SYN
-#				       flag set and which are not part of an
-#				       established connection will be accepted
-#				       from this interface, even if
-#				       NEWNOTSYN=No has been specified in
-#				       /etc/shorewall/shorewall.conf. In other
-#				       words, packets coming in on this
-#				       interface are processed as if
-#				       NEWNOTSYN=Yes had been specified in
-#					/etc/shorewall/shorewall.conf.
-#
-#				       This option has no effect if
-#				       NEWNOTSYN=Yes.
-#
-#				       It is the opinion of the author that
-#				       NEWNOTSYN=No creates more problems than
-#				       it solves and I recommend against using
-#				       that setting in shorewall.conf (hence
-#				       making the use of the 'newnotsyn'
-#				       interface option unnecessary).
-#
-#			routeback    - If specified, indicates that Shorewall
+			routeback    - If specified, indicates that Shorewall
 #				       should include rules that allow
 #				       filtering traffic arriving on this
 #				       interface back out that same interface.

Samples/one-interface/rules

@@ -115,9 +115,16 @@
 #				<action> -- The name of an action defined in
 #					    /etc/shorewall/actions or in
 #					    /usr/share/shorewall/actions.std.
-#
 #				<macro>	 -- The name of a macro defined in a
-#					    file named macro.<macro-name>.
+#					    file named macro.<macro-name>. If
+#					    the macro accepts an action
+#					    parameter (Look at the macro
+#					    source to see if it has PARAM in
+#					    the TARGET column) then the macro
+#					    name is followed by "/" and the
+#					    action (ACCEPT, DROP, REJECT, ...)
+#					    to be substituted for the
+#					    parameter. Example: FTP/ACCEPT.
 #
 #			The ACTION may optionally be followed
 #			by ":" and a syslog log level (e.g, REJECT:info or
@@ -262,8 +269,9 @@
 #			request should be redirected to.
 #
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
-#			a number, or "all". "ipp2p" requires ipp2p match
-#			support in your kernel and iptables.
+#                       "ipp2p:udp", "ipp2p:all" a number, or "all".
+#                       "ipp2p*" requires ipp2p match support in your kernel
+#                       and iptables.
 #
 #	DEST PORT(S)	Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port

Samples/three-interfaces/interfaces

@@ -113,27 +113,6 @@
 #				sub-networking as described at:
 #				http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
 #
-#			newnotsyn    - TCP packets that don't have the SYN
-#				       flag set and which are not part of an
-#				       established connection will be accepted
-#				       from this interface, even if
-#				       NEWNOTSYN=No has been specified in
-#				       /etc/shorewall/shorewall.conf. In other
-#				       words, packets coming in on this
-#				       interface are processed as if
-#				       NEWNOTSYN=Yes had been specified in
-#					/etc/shorewall/shorewall.conf.
-#
-#				       This option has no effect if
-#				       NEWNOTSYN=Yes.
-#
-#				       It is the opinion of the author that
-#				       NEWNOTSYN=No creates more problems than
-#				       it solves and I recommend against using
-#				       that setting in shorewall.conf (hence
-#				       making the use of the 'newnotsyn'
-#				       interface option unnecessary).
-#
 #			routeback    - If specified, indicates that Shorewall
 #				       should include rules that allow
 #				       filtering traffic arriving on this

Samples/three-interfaces/rules

@@ -115,9 +115,16 @@
 #				<action> -- The name of an action defined in
 #					    /etc/shorewall/actions or in
 #					    /usr/share/shorewall/actions.std.
-#
 #				<macro>	 -- The name of a macro defined in a
-#					    file named macro.<macro-name>.
+#					    file named macro.<macro-name>. If
+#					    the macro accepts an action
+#					    parameter (Look at the macro
+#					    source to see if it has PARAM in
+#					    the TARGET column) then the macro
+#					    name is followed by "/" and the
+#					    action (ACCEPT, DROP, REJECT, ...)
+#					    to be substituted for the
+#					    parameter. Example: FTP/ACCEPT.
 #
 #			The ACTION may optionally be followed
 #			by ":" and a syslog log level (e.g, REJECT:info or
@@ -262,8 +269,9 @@
 #			request should be redirected to.
 #
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
-#			a number, or "all". "ipp2p" requires ipp2p match
-#			support in your kernel and iptables.
+#                       "ipp2p:udp", "ipp2p:all" a number, or "all".
+#                       "ipp2p*" requires ipp2p match support in your kernel
+#                       and iptables.
 #
 #	DEST PORT(S)	Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port

Samples/two-interfaces/interfaces

@@ -113,27 +113,6 @@
 #				sub-networking as described at:
 #				http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
 #
-#			newnotsyn    - TCP packets that don't have the SYN
-#				       flag set and which are not part of an
-#				       established connection will be accepted
-#				       from this interface, even if
-#				       NEWNOTSYN=No has been specified in
-#				       /etc/shorewall/shorewall.conf. In other
-#				       words, packets coming in on this
-#				       interface are processed as if
-#				       NEWNOTSYN=Yes had been specified in
-#					/etc/shorewall/shorewall.conf.
-#
-#				       This option has no effect if
-#				       NEWNOTSYN=Yes.
-#
-#				       It is the opinion of the author that
-#				       NEWNOTSYN=No creates more problems than
-#				       it solves and I recommend against using
-#				       that setting in shorewall.conf (hence
-#				       making the use of the 'newnotsyn'
-#				       interface option unnecessary).
-#
 #			routeback    - If specified, indicates that Shorewall
 #				       should include rules that allow
 #				       filtering traffic arriving on this

Samples/two-interfaces/rules

@@ -115,9 +115,16 @@
 #				<action> -- The name of an action defined in
 #					    /etc/shorewall/actions or in
 #					    /usr/share/shorewall/actions.std.
-#
 #				<macro>	 -- The name of a macro defined in a
-#					    file named macro.<macro-name>.
+#					    file named macro.<macro-name>. If
+#					    the macro accepts an action
+#					    parameter (Look at the macro
+#					    source to see if it has PARAM in
+#					    the TARGET column) then the macro
+#					    name is followed by "/" and the
+#					    action (ACCEPT, DROP, REJECT, ...)
+#					    to be substituted for the
+#					    parameter. Example: FTP/ACCEPT.
 #
 #			The ACTION may optionally be followed
 #			by ":" and a syslog log level (e.g, REJECT:info or
@@ -262,8 +269,9 @@
 #			request should be redirected to.
 #
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
-#			a number, or "all". "ipp2p" requires ipp2p match
-#			support in your kernel and iptables.
+#                       "ipp2p:udp", "ipp2p:all" a number, or "all".
+#                       "ipp2p*" requires ipp2p match support in your kernel
+#                       and iptables.
 #
 #	DEST PORT(S)	Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port