Update man pages for exclusion

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5001 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-02-03 11:29:39 +01:00 · 2006-11-25 18:06:11 +00:00 · 2006-11-25 18:06:11 +00:00 · b2c32ccc99
commit b2c32ccc99
parent e9b03aa65b
6 changed files with 165 additions and 41 deletions
--- a/manpages/shorewall-accounting.xml
+++ b/manpages/shorewall-accounting.xml
@ -94,9 +94,7 @@
        <term><emphasis role="bold">SOURCE</emphasis> — {<emphasis
        role="bold">-</emphasis>|<emphasis
        role="bold">any</emphasis>|<emphasis
-        role="bold">all</emphasis>|<emphasis
+        role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
        role="bold">$FW</emphasis>[<emphasis
        role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
        role="bold">:</emphasis><emphasis>address</emphasis>|<emphasis>address</emphasis>}</term>
        <listitem>
@ -152,7 +150,7 @@
          role="bold">ipp2p</emphasis> then this column must contain an
          <emphasis>ipp2p-option</emphasis> ("iptables -m ipp2p --help")
          without the leading "--". If no option is given in this column,
-          "ipp2p" is assumed.</para>
+          <emphasis role="bold">ipp2p</emphasis> is assumed.</para>
          <para>Service name from services(5) or <emphasis>port
          number</emphasis>. May only be specified if the protocol is
@ -190,8 +188,8 @@
        <listitem>
          <para>This column may only be non-empty if the <emphasis
-          role="bold">SOURCE</emphasis> is the firewall itself (<emphasis
+          role="bold">CHAIN</emphasis> is <emphasis
-          role="bold">$FW</emphasis>).</para>
+          role="bold">OUTPUT</emphasis>.</para>
          <para>When this column is non-empty, the rule applies only if the
          program generating the output is running under the effective
--- a/manpages/shorewall-exclusion.xml
+++ b/manpages/shorewall-exclusion.xml
@ -0,0 +1,95 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <refentry>
  <refmeta>
    <refentrytitle>shorewall-exclusion</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>
  <refnamediv>
    <refname>exclusion</refname>
    <refpurpose>Exclude a set of hosts from a definition in a shorewall
    configuration file.</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
      <command>!</command>
      <arg choice="plain">address-or-range</arg>
      <arg rep="repeat">,address-or-range</arg>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
    <para>Exclusion is used when you wish to exclude one or more addresses
    from a definition. An exclaimation point is followed by a comma-separated
    list of addresses. The addresses may be single host addresses (e.g.,
    192.168.1.4) or they may be network addresses in CIDR format (e.g.,
    192.168.1.0/24). If your kernel and iptables include iprange support, you
    may also specify ranges of ip addresses of the form
    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para>
    <para>No embedded whitespace is allowed.</para>
  </refsect1>
  <refsect1>
    <title>Example</title>
    <variablelist>
      <varlistentry>
        <term>Example 1</term>
        <listitem>
          <para>!192.168.3.4</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 2</term>
        <listitem>
          <para>!192.168.1.0/24,10.1.3.4</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 3</term>
        <listitem>
          <para>!192.168.1.3-192.168.1.12,10.0.0.0/8</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
  <refsect1>
    <title>FILES</title>
    <para>/etc/shorewall/hosts</para>
    <para>/etc/shorewall/masq</para>
    <para>/etc/shorewall/rules</para>
    <para>/etc/shorewall/tcrules</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-hosts.xml
+++ b/manpages/shorewall-hosts.xml
@ -56,9 +56,9 @@
      <varlistentry>
        <term><emphasis role="bold">HOST(S)</emphasis> —
-        <emphasis>interface</emphasis>:{[<emphasis>port</emphasis>:]{<emphasis>address-or-range</emphasis>[<emphasis
+        <emphasis>interface</emphasis>:{[<emphasis>bridge-port</emphasis>:]{<emphasis>address-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
+        role="bold">+</emphasis><emphasis>ipset</emphasis>}[<emphasis>exclusion</emphasis>]</term>
        <listitem>
          <para>The name of an interface defined in the
@ -81,8 +81,8 @@
            </listitem>
            <listitem>
-              <para>A physical <emphasis>port</emphasis> name; only allowed
+              <para>A physical <emphasis>bridge-port</emphasis> name; only
-              when the interface names a bridge created by the
+              allowed when the interface names a bridge created by the
              <command>brctl(8) addbr</command> command. This port must not be
              defined in shorewall-interfaces(5) and may be optionally
              followed by a colon (":") and a host or network IP or a range.
@ -96,11 +96,16 @@
              <para>The name of an <emphasis>ipset</emphasis>.</para>
            </listitem>
          </orderedlist>
          <blockquote>
            <para>You may also exclude certain hosts through use of an
            <emphasis>exclusion</emphasis> (see shorewall-exclusion(5).</para>
          </blockquote>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term>OPTIONS — [<emphasis>option</emphasis>[<emphasis
+        <term>OPTIONS (Optional) — [<emphasis>option</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
        <listitem>
--- a/manpages/shorewall-masq.xml
+++ b/manpages/shorewall-masq.xml
@ -43,7 +43,7 @@
        role="bold">+</emphasis>]<emphasis>interface</emphasis>[<emphasis
        role="bold">:</emphasis>[<emphasis>digit</emphasis>]][<emphasis
        role="bold">:</emphasis>[<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>]...]</term>
+        role="bold">,</emphasis><emphasis>address</emphasis>]...][<emphasis>exclusion</emphasis>]</term>
        <listitem>
          <para>Outgoing <emphasis>interface</emphasis>. This is usually your
@ -58,8 +58,8 @@
          <para>The interface may be qualified by adding the character ":"
          followed by a comma-separated list of destination host or subnet
          addresses to indicate that you only want to change the source IP
-          address for packets being sent to those particular
+          address for packets being sent to those particular destinations.
-          destinations.</para>
+          Exclusion is allowed (see shorewall-exclusion(5)).</para>
          <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
          entry then include the ":" but omit the digit:</para>
@ -85,9 +85,7 @@
        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
        —
        {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address</emphasis>]}[<emphasis
+        role="bold">,</emphasis><emphasis>address</emphasis>]}[<emphasis>exclusion</emphasis>]</term>
        role="bold">!</emphasis><emphasis>exclude-address</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>exclude-address</emphasis>]...]</term>
        <listitem>
          <para>Set of hosts that you wish to masquerade. You can specify this
@ -98,8 +96,9 @@
          appropriate addresses to masquerade).</para>
          <para>In order to exclude a address of the specified SOURCE, you may
-          append "!" and a comma-separated list of IP addresses (host or net)
+          append an <emphasis>exclusion</emphasis> ("!" and a comma-separated
-          that you wish to exclude.</para>
+          list of IP addresses (host or net) that you wish to exclude (see
          shorewall-exclusion(5))).</para>
          <para>Example: eth1!192.168.1.4,192.168.32.0/27</para>
@ -402,12 +401,13 @@
    url="http://www.shorewall.net/Documentation.htm#Masq">http://www.shorewall.net/Documentation.htm#Masq</ulink></para>
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-nat(5),
+    shorewall-interfaces(5), shorewall-ipsec(5), shorewall-maclist(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-route_routes(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@ -375,7 +375,7 @@
        role="bold">-</emphasis>]}<emphasis
        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
        role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
+        role="bold">+</emphasis><emphasis>ipset</emphasis>}[<emphasis>exclusion</emphasis>]</term>
        <listitem>
          <para>Source hosts to which the rule applies. May be a zone defined
@ -416,6 +416,10 @@
          square brackets ([]) to indicate the number of levels of source
          bindings to be matched.</para>
          <para>You may exclude certain hosts from the set already defined
          through use of an <emphasis>exclusion</emphasis> (see
          shorewall-exclusion(5)).</para>
          <para>Examples:</para>
          <variablelist>
@ -460,6 +464,15 @@
                <para>Hosts 192.0.2.11-192.0.2.17 in the net zone.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>net:155.186.235.0/24!155.186.235.16/28</term>
              <listitem>
                <para>Subnet 155.186.235.0/24 on the Internet except for
                155.186.235.16/28</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <blockquote>
@ -481,7 +494,7 @@
        role="bold">-</emphasis>]}<emphasis
        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
        role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>}}</term>
+        role="bold">+</emphasis><emphasis>ipset</emphasis>}}[<emphasis>exclusion</emphasis>]</term>
        <listitem>
          <para>Location of Server. May be a zone defined in
@ -505,6 +518,10 @@
          restricted to a particular subnet, host or interface by appending
          ":" and the subnet, host or interface. See above.</para>
          <para>You may exclude certain hosts from the set already defined
          through use of an <emphasis>exclusion</emphasis> (see
          shorewall-exclusion(5)).</para>
          <para>Restrictions:</para>
          <para>1. MAC addresses are not allowed.</para>
--- a/manpages/shorewall-tcrules.xml
+++ b/manpages/shorewall-tcrules.xml
@ -195,7 +195,7 @@
        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|<emphasis
        role="bold">$FW</emphasis>|[{<emphasis>interface</emphasis>|<emphasis
        role="bold">$FW</emphasis>}:]<emphasis>address-or-range</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}</term>
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
        <listitem>
          <para>Source of the packet. A comma-separated list of interface
@ -219,13 +219,17 @@
          separator.</para>
          <para>Example: ~00-A0-C9-15-39-78</para>
          <para>You may exclude certain hosts from the set already defined
          through use of an <emphasis>exclusion</emphasis> (see
          shorewall-exclusion(5)).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> — {<emphasis
        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]<emphasis>address-or-range</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}</term>
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
        <listitem>
          <para>Destination of the packet. Comma separated list of IP
@ -236,6 +240,10 @@
          role="bold">MARK</emphasis> column specificies a classification of
          the form <emphasis>major</emphasis>:<emphasis>minor</emphasis> then
          this column may also contain an interface name.</para>
          <para>You may exclude certain hosts from the set already defined
          through use of an <emphasis>exclusion</emphasis> (see
          shorewall-exclusion(5)).</para>
        </listitem>
      </varlistentry>
@ -492,12 +500,13 @@
    url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>