Documentation cleanup. Left off on Actions.xml.

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8672 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-30 01:19:36 +01:00 · 2008-08-18 04:32:14 +00:00 · 2008-08-18 04:32:14 +00:00 · ad0c872a85
commit ad0c872a85
parent ab7d13a6f9
3 changed files with 111 additions and 101 deletions
--- a/docs/6to4.xml
+++ b/docs/6to4.xml
@ -63,9 +63,8 @@
    <para>We want systems in the 2002:100:333::/64 subnetwork to be able to
    communicate with the systems in the 2002:488:999::/64 network. This is
-    accomplished through use of the
+    accomplished through use of the <filename>/etc/shorewall/tunnels</filename>
-    <filename><filename>/etc/shorewall/tunnels</filename></filename> file and
+    file and the <quote>ip</quote> utility for network interface and routing
    the <quote>ip</quote> utility for network interface and routing
    configuration.</para>
    <para>Unlike GRE and IPIP tunneling, the
@ -78,13 +77,13 @@
    Separate IPv6 interfaces and ip6tables rules need to be defined to handle
    this traffic.</para>
-    <para>In <filename>/etc/shorewall/tunnels </filename>on system A, we need
+    <para>In <filename>/etc/shorewall/tunnels</filename> on system A, we need
    the following:</para>
    <programlisting>#TYPE     ZONE     GATEWAY        GATEWAY ZONE
 6to4      net      134.28.54.2</programlisting>
-    <para>This entry in <filename>/etc/shorewall/tunnels</filename>, opens the
+    <para>This entry in <filename>/etc/shorewall/tunnels</filename> opens the
    firewall so that the IPv6 encapsulation protocol (41) will be accepted
    to/from the remote gateway.</para>
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@ -45,15 +45,15 @@
    <title>Accounting Basics</title>
    <para>Shorewall accounting rules are described in the file
-    /etc/shorewall/accounting. By default, the accounting rules are placed in
+    <filename>/etc/shorewall/accounting</filename>. By default, the
-    a chain called <quote>accounting</quote> and can thus be displayed using
+    accounting rules are placed in a chain called <quote>accounting</quote>
-    <quote>shorewall[-lite] show accounting</quote>. All traffic passing into,
+    and can thus be displayed using <quote>shorewall[-lite] show
-    out of, or through the firewall traverses the accounting chain including
+    accounting</quote>. All traffic passing into, out of, or through the
-    traffic that will later be rejected by interface options such as
+    firewall traverses the accounting chain including traffic that will later
-    <quote>tcpflags</quote> and <quote>maclist</quote>. If your kernel doesn't
+    be rejected by interface options such as <quote>tcpflags</quote> and
-    support the connection tracking match extension (Kernel 2.4.21) then some
+    <quote>maclist</quote>. If your kernel doesn't support the connection
-    traffic rejected under <quote>norfc1918</quote> will not traverse the
+    tracking match extension (Kernel 2.4.21) then some traffic rejected under
-    accounting chain.</para>
+    <quote>norfc1918</quote> will not traverse the accounting chain.</para>
    <para>The columns in the accounting file are as follows:</para>
@ -76,7 +76,7 @@
          <listitem>
            <para><emphasis>&lt;chain&gt;</emphasis> - The name of a chain;
            Shorewall will create the chain automatically if it doesn't
-            already exist. Causes a jump to this chain will be generated from
+            already exist. A jump to this chain will be generated from
            the chain specified by the CHAIN column. If the name of the chain
            is followed by <quote>:COUNT</quote> then a COUNT rule matching
            this entry will automatically be added to &lt;chain&gt;. Chain
@ -113,25 +113,26 @@
      <listitem>
        <para><emphasis role="bold">DESTINATION</emphasis> - Packet
-        Destination Format the same as the SOURCE column.</para>
+        Destination. Format the same as the SOURCE column.</para>
      </listitem>
      <listitem>
-        <para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name
+        <para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name (from
-        (from <filename>/etc/protocols</filename>), a protocol number or
+        <filename>/etc/protocols</filename>), a protocol number or
-        "ipp2p". For "ipp2p", your kernel and iptables must have ipp2p match
+        <quote>ipp2p</quote>. For <quote>ipp2p</quote>, your kernel and
-        support from <ulink url="http://www.netfilter.org">Netfilter
+        iptables must have ipp2p match support from <ulink
        url="http://www.netfilter.org">Netfilter
        Patch_o_matic_ng</ulink>.</para>
      </listitem>
      <listitem>
        <para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
        number. Service name from <filename>/etc/services</filename> or port
-        number. May only be specified if the protocol is TCP or UDP (6 or 17).
+        number. May only be specified if the protocol is TCP or UDP (6 or
-        If the PROTOCOL is "ipp2p", then this column is interpreted as an
+        17).  If the PROTOCOL is <quote>ipp2p</quote>, then this column is
-        ipp2p option without the leading "--" (default "ipp2p"). For a list of
+        interpreted as an ipp2p option without the leading <quote>--</quote>
-        value ipp2p options, as root type <command>iptables -m ipp2p
+        (default <quote>ipp2p</quote>). For a list of value ipp2p options, as
-        --help</command>.</para>
+        root type <command>iptables -m ipp2p --help</command>.</para>
      </listitem>
      <listitem>
@ -145,23 +146,23 @@
        only be non-empty if the CHAIN is OUTPUT. The column may
        contain:</para>
-        <programlisting> [!][&lt;user name or number&gt;][:&lt;group name or number&gt;][+&lt;program name&gt;]</programlisting>
+        <programlisting>[!][&lt;user name or number&gt;][:&lt;group name or number&gt;][+&lt;program name&gt;]</programlisting>
        <para>When this column is non-empty, the rule applies only if the
        program generating the output is running under the effective
        &lt;user&gt; and/or &lt;group&gt; specified (or is NOT running under
-        that id if "!" is given).</para>
+        that id if <quote>!</quote> is given).</para>
        <para>Examples:</para>
        <simplelist>
          <member>joe #program must be run by joe</member>
-          <member>:kids #program must be run by a member of the 'kids'
+          <member>:kids #program must be run by a member of the
-          group.</member>
+          <quote>kids</quote> group.</member>
-          <member>!:kids #program must not be run by a member of the 'kids'
+          <member>!:kids #program must not be run by a member of the
-          group</member>
+          <quote>kids</quote> group</member>
          <member>+upnpd #program named upnpd (This feature was removed from
          Netfilter in kernel version 2.6.14).</member>
@ -170,12 +171,13 @@
      <listitem>
        <para><emphasis role="bold">MARK</emphasis> - Only count packets with
-        particular mark values.<programlisting>[!]&lt;value&gt;[/&lt;mask&gt;][:C]</programlisting>Defines
+        particular mark values.
-        a test on the existing packet or connection mark. The rule will match
+        <programlisting>[!]&lt;value&gt;[/&lt;mask&gt;][:C]</programlisting>
-        only if the test returns true.</para>
+        Defines a test on the existing packet or connection mark. The rule will
        match only if the test returns true.</para>
        <para>If you don’t want to define a test but need to specify anything
-        in the following columns, place a "-" in this field.<simplelist>
+        in the following columns, place a <quote>-</quote> in this field.<simplelist>
            <member>! — Inverts the test (not equal)</member>
            <member>&lt;value&gt; — Value of the packet or connection
@ -192,14 +194,14 @@
    </itemizedlist>
    <para>In all columns except ACTION and CHAIN, the values
-    <quote>-</quote>,<quote>any</quote> and <quote>all</quote> are treated as
+    <quote>-</quote>, <quote>any</quote> and <quote>all</quote> are treated as
    wild-cards.</para>
    <para>The accounting rules are evaluated in the Netfilter
    <quote>filter</quote> table. This is the same environment where the
    <quote>rules</quote> file rules are evaluated and in this environment,
    DNAT has already occurred in inbound packets and SNAT has not yet occurred
-    on outbound ones.</para>
+    on outbound packets.</para>
    <para>Accounting rules are not stateful -- each rule only handles traffic
    in one direction. For example, if eth0 is your Internet interface, and you
@ -222,9 +224,9 @@
        web:COUNT       -       eth1    eth0            tcp             -               443
        DONE            web</programlisting>
-    <para>Now <quote>shorewall show web</quote> (or "shorewall-lite show web"
+    <para>Now <command>shorewall show web</command> (or <command>shorewall-lite
-    for Shorewall Lite users) will give you a breakdown of your web
+    show web</command> for Shorewall Lite users) will give you a breakdown
-    traffic:</para>
+    of your web traffic:</para>
    <programlisting>     [root@gateway shorewall]# shorewall show web
     Shorewall-1.4.6-20030821 Chain web at gateway.shorewall.net - Wed Aug 20 09:48:56 PDT 2003
@ -251,9 +253,9 @@
        COUNT           web     eth0    eth1
        COUNT           web     eth1    eth0</programlisting>
-    <para>Now <quote>shorewall show web</quote> (or "shorewall-lite show web"
+    <para>Now <command>shorewall show web</command> (or <command>shorewall-lite
-    for Shorewall Lite users) simply gives you a breakdown by input and
+    show web<command> for Shorewall Lite users) simply gives you a
-    output:</para>
+    breakdown by input and output:</para>
    <programlisting>     [root@gateway shorewall]# shorewall show accounting web
     Shorewall-1.4.6-20030821 Chains accounting web at gateway.shorewall.net - Wed Aug 20 10:27:21 PDT 2003
@ -343,7 +345,7 @@
      </listitem>
    </itemizedlist>
-    <para>If the CHAIN column contains '-', then:</para>
+    <para>If the CHAIN column contains <quote>-</quote>, then:</para>
    <itemizedlist>
      <listitem>
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@ -97,9 +97,10 @@ ACCEPT   -              -               tcp     135,139,445
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
        <para>If you wish to modify one of the standard actions, do not modify
-        the definition in /usr/share/shorewall. Rather, copy the file to
+        the definition in <filename
-        <filename class="directory">/etc/shorewall</filename> (or somewhere
+        class="directory">/usr/share/shorewall</filename>. Rather, copy the
-        else on your CONFIG_PATH) and modify the copy.</para>
+        file to <filename class="directory">/etc/shorewall</filename> (or
        somewhere else on your CONFIG_PATH) and modify the copy.</para>
        <para>Standard Actions were largely replaced by <ulink
        url="Macros.html">macros</ulink> in Shorewall 3.0 and later major
@ -108,9 +109,11 @@ ACCEPT   -              -               tcp     135,139,445
      <listitem>
        <para>User-defined Actions. These actions are created by end-users.
-        They are listed in the file /etc/shorewall/actions and are defined in
+        They are listed in the file
-        action.* files in /etc/shorewall or in another directory listed in
+        <filename>/etc/shorewall/actions</filename> and are defined in
-        your CONFIG_PATH (defined in <ulink
+        <filename>action.*</filename> files in <filename
        class="directory">/etc/shorewall</filename> or in another directory
        listed in your CONFIG_PATH (defined in <ulink
        url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink>).</para>
      </listitem>
    </orderedlist>
@ -148,22 +151,20 @@ ACCEPT   -              -               tcp     135,139,445
        AUTH protocol of client authentication<footnote>
            <para>AUTH is actually pretty silly on today's Internet but it's
            amazing how many servers still employ it.</para>
-          </footnote></para>
+          </footnote>.</para>
      </listitem>
    </orderedlist>
    <para>Shorewall supports default actions for the ACCEPT, REJECT, DROP,
    QUEUE and NFQUEUE policies. These default actions are specified in the
-    /etc/shorewall/shorewall.conf file using the ACCEPT_DEFAULT,
+    <filename>/etc/shorewall/shorewall.conf</filename> file using the
-    REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and NFQUEUE_DEFAULT options
+    ACCEPT_DEFAULT, REJECT_DEFAULT, DROP_DEFAULT, QUEUE_DEFAULT and
-    respectively. Policies whose default is set to a value of "none" have no
+    NFQUEUE_DEFAULT options respectively. Policies whose default is set to a
-    default action.</para>
+    value of <quote>none</quote> have no default action.</para>
-    <para></para>
+    <para>In addition, the default specified in
-
+    <filename>/etc/shorewall/shorewall.conf</filename> may be overridden by
-    <para>In addition, the default specified in /etc/shorewall/shorewall.conf
+    specifying a different default in the POLICY column of <ulink
    may be overridden by specifying a different default in the POLICY column
    of <ulink
    url="manpages/shorewall-policy.html">/etc/shorewall/policy</ulink>.</para>
    <warning>
@ -177,15 +178,17 @@ ACCEPT   -              -               tcp     135,139,445
  <section id="Limit">
    <title>Limiting Per-IP Connection Rate</title>
-    <para>Beginning with Shorewall 3.0.4, Shorewall has a 'Limit' <ulink
+    <para>Beginning with Shorewall 3.0.4, Shorewall has a <quote>Limit</quote>
-    url="Actions.html">action</ulink>. Limit is invoked with a comma-separated
+    <ulink url="Actions.html">action</ulink>. Limit is invoked with a
-    list in place of a logging tag. The list has three elements:</para>
+    comma-separated list in place of a logging tag. The list has three
    elements:</para>
    <orderedlist>
      <listitem>
-        <para>The name of a 'recent' set; you select the set name which must
+        <para>The name of a <quote>recent</quote> set; you select the set name
-        conform to the rules for a valid chain name. Different rules that
+        which must conform to the rules for a valid chain name. Different
-        specify the same set name will use the same set of counters.</para>
+        rules that specify the same set name will use the same set of
        counters.</para>
      </listitem>
      <listitem>
@ -200,9 +203,9 @@ ACCEPT   -              -               tcp     135,139,445
    <para>Connections that exceed the specified rate are dropped.</para>
-    <para>For example,to use a recent set name of <emphasis
+    <para>For example, to use a recent set name of <emphasis
-    role="bold">SSHA</emphasis>, and to limiting SSH to 3 per minute, use this
+    role="bold">SSHA</emphasis>, and to limit SSH connections to 3 per minute,
-    entry in <filename>/etc/shorewall/rules</filename>:</para>
+    use this entry in <filename>/etc/shorewall/rules</filename>:</para>
    <programlisting>#ACTION                SOURCE            DEST           PROTO       DEST PORT(S)
 Limit:none:SSHA,3,60   net               $FW            tcp         22</programlisting>
@ -218,12 +221,12 @@ Limit:info:SSHA,3,60   net               $FW            tcp         22</programl
    <itemizedlist>
      <listitem>
-        <para>The log level. If you don't want to log, specify "none".</para>
+        <para>The log level. If you don't want to log, specify <quote>none</quote>.</para>
      </listitem>
      <listitem>
-        <para>The name of the recent set that you want to use ("SSHA" in this
+        <para>The name of the recent set that you want to use
-        example).</para>
+        (<quote>SSHA</quote> in this example).</para>
      </listitem>
      <listitem>
@ -246,7 +249,7 @@ Limit:info:SSHA,3,60   net               $FW            tcp         22</programl
      <itemizedlist>
        <listitem>
          <para>The file
-          <filename>/usr/share/shorewall/action</filename>.Limit is
+          <filename>/usr/share/shorewall/action</filename>. Limit is
          empty.</para>
        </listitem>
@ -324,9 +327,9 @@ add_rule $chainref, '-j ACCEPT';
    <orderedlist>
      <listitem>
        <para>Add a line to
-        <filename><filename>/etc/shorewall/actions</filename></filename> that
+        <filename>/etc/shorewall/actions</filename> that
        names your new action. Action names must be valid shell variable names
-        ((must begin with a letter and be composed of letters, digits and
+        (must begin with a letter and be composed of letters, digits and
        underscore characters) as well as valid Netfilter chain names. If you
        intend to log from the action, the name must have a maximum of 11
        characters. It is recommended that the name you select for a new
@ -335,8 +338,8 @@ add_rule $chainref, '-j ACCEPT';
        <para>The name of the action may be optionally followed by a colon
        (<quote>:</quote>) and ACCEPT, DROP or REJECT. When this is done, the
-        named action will become the <emphasis>default action </emphasis>for
+        named action will become the <emphasis>default action</emphasis> for
-        policies of type ACCEPT, DROP or REJECT respectively. The default
+        policies of type ACCEPT, DROP or REJECT, respectively. The default
        action is applied immediately before the policy is enforced (before
        any logging is done under that policy) and is used mainly to suppress
        logging of uninteresting traffic which would otherwise clog your logs.
@ -350,7 +353,7 @@ add_rule $chainref, '-j ACCEPT';
      <listitem>
        <para>Once you have defined your new action name (ActionName), then
-        copy /usr/share/shorewall/action.template to
+        copy <filename>/usr/share/shorewall/action.template</filename> to
        <filename>/etc/shorewall/action.ActionName</filename> (for example, if
        your new action name is <quote>Foo</quote> then copy
        <filename>/usr/share/shorewall/action.template</filename> to
@ -362,7 +365,8 @@ add_rule $chainref, '-j ACCEPT';
      </listitem>
    </orderedlist>
-    <para>Columns in the action.template file are as follows:</para>
+    <para>Columns in the <filename>action.template</filename> file are as
    follows:</para>
    <itemizedlist>
      <listitem>
@ -392,7 +396,7 @@ add_rule $chainref, '-j ACCEPT';
      <listitem>
        <para>SOURCE - Source hosts to which the rule applies. A
        comma-separated list of subnets and/or hosts. Hosts may be specified
-        by IP or MAC address; mac addresses must begin with <quote>~</quote>
+        by IP or MAC address; MAC addresses must begin with <quote>~</quote>
        and must use <quote>-</quote> as a separator.</para>
        <para>Alternatively, clients may be specified by interface name. For
@ -426,9 +430,9 @@ add_rule $chainref, '-j ACCEPT';
        <para>A port range is expressed as &lt;<emphasis>low
        port</emphasis>&gt;:&lt;<emphasis>high port</emphasis>&gt;.</para>
-        <para>This column is ignored if PROTO = "all", but must be entered if
+        <para>This column is ignored if PROTO = <quote>all</quote>, but must be
-        any of the following fields are supplied. In that case, it is
+        entered if any of the following fields are supplied. In that case, it
-        suggested that this field contain <quote>-</quote>.</para>
+        is suggested that this field contain <quote>-</quote>.</para>
        <para>If your kernel contains multi-port match support, then only a
        single Netfilter rule will be generated if in this list and in the
@ -454,7 +458,8 @@ add_rule $chainref, '-j ACCEPT';
        names, port numbers or port ranges.</para>
        <para>If you don't want to restrict client ports but need to specify
-        any of the following fields, then place "-" in this column.</para>
+        any of the subsequent fields, then place <quote>-</quote> in this
        column.</para>
        <para>If your kernel contains multi-port match support, then only a
        single Netfilter rule will be generated if in this list and in the
@ -536,7 +541,7 @@ add_rule $chainref, '-j ACCEPT';
        rule will match only if the test returns true.</para>
        <para>If you don’t want to define a test but need to specify anything
-        in the following columns, place a "-" in this field.<simplelist>
+          in the subsequent columns, place a <quote>-</quote> in this field.<simplelist>
            <member>! — Inverts the test (not equal)</member>
            <member>&lt;<emphasis>value</emphasis>&gt; — Value of the packet
@ -552,7 +557,8 @@ add_rule $chainref, '-j ACCEPT';
      </listitem>
    </itemizedlist>
-    <para>Omitted column entries should be entered using a dash ("-").</para>
+    <para>Omitted column entries should be entered using a dash
    (<quote>-</quote>).</para>
    <para>Example:</para>
@ -563,7 +569,8 @@ add_rule $chainref, '-j ACCEPT';
     LogAndAccept        # LOG and ACCEPT a connection</programlisting><emphasis
    role="bold">Note:</emphasis> If your
    <filename>/etc/shorewall/actions</filename> file doesn't have an
-    indication where to place the comment, put the '#' in column 21.</para>
+    indication where to place the comment, put the <quote>#</quote> in column
    21.</para>
    <para><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting>     LOG:info
     ACCEPT</programlisting></para>
@ -607,8 +614,8 @@ bar:info</programlisting>
        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
 foo:debug    $FW         net</programlisting>
-        <para>Logging in the invoke 'foo' action will be as if foo had been
+        <para>Logging in the invoke <quote>foo</quote> action will be as if foo
-        defined as:</para>
+        had been defined as:</para>
        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
 ACCEPT:debug -          -        tcp      22
@ -616,8 +623,9 @@ bar:info</programlisting>
      </listitem>
      <listitem>
-        <para>If you follow the log level with "!" then logging will be set at
+        <para>If you follow the log level with <quote>!</quote> then logging
-        that level for all rules recursively invoked by the action.</para>
+        will be set at that level for all rules recursively invoked by the
        action.</para>
        <para>Example:</para>
@ -632,8 +640,8 @@ bar:info</programlisting>
        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
 foo:debug!   $FW        net</programlisting>
-        <para>Logging in the invoke 'foo' action will be as if foo had been
+        <para>Logging in the invoke <quote>foo</quote> action will be as if foo
-        defined as:</para>
+        had been defined as:</para>
        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
 ACCEPT:debug -          -        tcp      22
@ -641,8 +649,8 @@ bar:debug</programlisting>
      </listitem>
    </orderedlist>
-    <para>If you define an action 'acton' and you have an
+    <para>If you define an action <quote>acton</quote> and you have an
-    <filename>/etc/shorewall/acton</filename> script then when that script is
+    <filename>/etc/shorewall/acton</filename> script, when that script is
    invoked, the following three variables will be set for use by the
    script:</para>
@ -670,19 +678,20 @@ bar:debug</programlisting>
    <programlisting>#ACTION          SOURCE           DEST
 acton:info:test  $FW              net</programlisting>
-    <para>Your /etc/shorewall/acton file will be run with:</para>
+    <para>Your </filename>/etc/shorewall/acton</filename> file will be run
    with:</para>
    <itemizedlist>
      <listitem>
-        <para>$CHAIN="%acton1"</para>
+        <para>$CHAIN=<quote>%acton1</quote></para>
      </listitem>
      <listitem>
-        <para>$LEVEL="info"</para>
+        <para>$LEVEL=<quote>info</quote></para>
      </listitem>
      <listitem>
-        <para>$TAG="test"</para>
+        <para>$TAG=<quote>test</quote></para>
      </listitem>
    </itemizedlist>
@ -714,8 +723,8 @@ acton:info:test  $FW              net</programlisting>
    <title>Creating an Action using an Extension Script</title>
    <para>There may be cases where you wish to create a chain with rules that
-    can't be constructed using the tools defined in the action.template. In
+    can't be constructed using the tools defined in the
-    that case, you can use an <ulink
+    <filename>action.template</filename>. In that case, you can use an <ulink
    url="shorewall_extension_scripts.htm">extension script</ulink>.<note>
        <para>If you actually need an action to drop broadcast packets, use
        the <command>dropBcast</command> standard action rather than create