From b38f1416aa12619dae64146f0cd6befe6125f7f0 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Mon, 13 May 2013 13:41:12 -0700
Subject: [PATCH] Mention "all+' in the "Important" notes at the top

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/manpages/shorewall-policy.xml   | 5 +++--
 Shorewall6/manpages/shorewall6-policy.xml | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/Shorewall/manpages/shorewall-policy.xml b/Shorewall/manpages/shorewall-policy.xml
index 8752d2678..e0e517891 100644
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -42,8 +42,9 @@
       <para>For $FW and for all of the zones defined in /etc/shorewall/zones,
       the POLICY for connections from the zone to itself is ACCEPT (with no
       logging or TCP connection rate limiting) but may be overridden by an
-      entry in this file. The overriding entry must be explicit (cannot use
-      "all" in the SOURCE or DEST).</para>
+      entry in this file. The overriding entry must be explicit (specifying
+      the zone name in both SOURCE and DEST) or it must use "all+" (Shorewall
+      4.5.17 or later).</para>
 
       <para>Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf,
       then the implicit policy to/from any sub-zone is CONTINUE. These
diff --git a/Shorewall6/manpages/shorewall6-policy.xml b/Shorewall6/manpages/shorewall6-policy.xml
index 64c8d3e67..b147fde16 100644
--- a/Shorewall6/manpages/shorewall6-policy.xml
+++ b/Shorewall6/manpages/shorewall6-policy.xml
@@ -42,8 +42,9 @@
       <para>For $FW and for all of the zones defined in /etc/shorewall6/zones,
       the POLICY for connections from the zone to itself is ACCEPT (with no
       logging or TCP connection rate limiting but may be overridden by an
-      entry in this file. The overriding entry must be explicit (cannot use
-      "all" in the SOURCE or DEST).</para>
+      entry in this file. The overriding entry must be explicit (specifying
+      the zone name on both SOURCE and DEST) or it must use "all+ or it must
+      use "all+" (Shorewall 4.5.17 or later).</para>
 
       <para>Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall6.conf,
       then the implicit policy to/from any sub-zone is CONTINUE. These