From a6c1cd6d7bc4bdf2fbf780ccb01c55f1818d61ba Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 8 Mar 2020 13:22:05 -0700
Subject: [PATCH] Expand manpage text about trace/debug -> -T/-D change

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall-core/manpages/shorewall.xml | 65 ++++++++++++++++++---------
 1 file changed, 45 insertions(+), 20 deletions(-)

diff --git a/Shorewall-core/manpages/shorewall.xml b/Shorewall-core/manpages/shorewall.xml
index ac71bb851..49a2b8945 100644
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -1035,15 +1035,10 @@
         <term>-T</term>
 
         <listitem>
-          <para>If the command invokes the generated firewall script, the
-          script's execution will be traced to standard error. This option
-          replaces the earlier <emphasis role="bold">trace</emphasis>
-          keyword.</para>
-
-          <caution>
-            <para>If both -T and -D are specified, only the last one specified
-            will be in effect.</para>
-          </caution>
+          <para>Added in Shorewall 5.2.4 to replace the earlier
+          <command>trace</command> keyword.. If the command invokes the
+          generated firewall script, the script's execution will be traced to
+          standard error.</para>
         </listitem>
       </varlistentry>
 
@@ -1051,20 +1046,50 @@
         <term>-D</term>
 
         <listitem>
-          <para>If the command invokes the generated firewall script,
-          individual invocations of the ip[6]tables utility will be used to
-          configure the ruleset rather than ip[6]tables-restore. This is
-          useful for diagnosing ip[6]tables-restore failures on a *COMMIT
-          command. The option replaces the earlier <emphasis
-          role="bold">debug</emphasis> keyword.</para>
-
-          <caution>
-            <para>If both -T and -D are specified, only the last one specified
-            will be in effect.</para>
-          </caution>
+          <para>Added in Shorewall 5.2.4 to replace the earlier debug keyword.
+          If the command invokes the generated firewall script, individual
+          invocations of the ip[6]tables utility will be used to configure the
+          ruleset rather than ip[6]tables-restore. This is useful for
+          diagnosing ip[6]tables-restore failures on a *COMMIT command.</para>
         </listitem>
       </varlistentry>
     </variablelist>
+
+    <note>
+      <para>Prior to Shorewall 5.2.4, the general syntax for a CLI command
+      was:</para>
+
+      <cmdsynopsis>
+        <arg><option>trace|debug</option></arg>
+
+        <arg><option>nolock</option></arg>
+
+        <arg><replaceable>options</replaceable></arg>
+
+        <arg choice="plain"><replaceable>command</replaceable></arg>
+
+        <arg><replaceable>command-options</replaceable></arg>
+
+        <arg><replaceable>command-arguments</replaceable></arg>
+      </cmdsynopsis>
+
+      <para>Examples:</para>
+
+      <programlisting>    shorewall debug -tv2 reload
+    shorewall trace check
+    shorewall nolock enable eth0</programlisting>
+
+      <para>In Shorewall 5.2.4 and later, those commands would be:</para>
+
+      <programlisting>    shorewall -Dtv2 reload
+    shorewall check -D
+    shorewall -N enable eth0</programlisting>
+
+      <para>While not shown in the command synopses at the top of this page,
+      the <option>nolock</option> keyword is still supported in Shorewall
+      5.2.4 and later, but is deprecated in favor of the -<option>N
+      </option>option.</para>
+    </note>
   </refsect1>
 
   <refsect1>