extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-20 12:39:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Document ipset use in tcfilters

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-02-01 09:40:39 -08:00
parent 50fb8e3f2f
commit c08655e0bc
2 changed files with 38 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
Shorewall/manpages/shorewall-tcfilters.xml
View File

@ -13,7 +13,7 @@
<refnamediv> <refnamediv>
<refname>tcfilters</refname> <refname>tcfilters</refname>
<refpurpose>Shorewall u32 classifier rules file</refpurpose> <refpurpose>Shorewall u32/basic classifier rules file</refpurpose>
</refnamediv> </refnamediv>
<refsynopsisdiv> <refsynopsisdiv>
@ -81,23 +81,35 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis <term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>}</term> role="bold">-</emphasis>|<emphasis>address</emphasis>|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>Source of the packet. May be a host or network <para>Source of the packet. May be a host or network
<replaceable>address</replaceable>. DNS names are not <replaceable>address</replaceable>. DNS names are not allowed.
allowed.</para> Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
may be used if your kernel and ip6tables have the <firstterm>Basic
Ematch</firstterm>capability. The ipset name may optionally be
followed by a number or a comma separated list of src and/or dst
enclosed in square brackets ([...]). See <ulink
url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
details.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DEST</emphasis> - {<emphasis <term><emphasis role="bold">DEST</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>}}</term> role="bold">-</emphasis>|<emphasis>address</emphasis>|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>Destination of the packet. May be a host or network <para>Destination of the packet. May be a host or network
<replaceable>address</replaceable>. DNS names are not <replaceable>address</replaceable>. DNS names are not allowed.
allowed.</para> Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
may be used if your kernel and ip6tables have the <firstterm>Basic
Ematch</firstterm>capability. The ipset name may optionally be
followed by a number or a comma separated list of src and/or dst
enclosed in square brackets ([...]). See <ulink
url="shorewall-ipsets.html">shorewall-ipsets(5)</ulink> for
details.</para>
<para>You may exclude certain hosts from the set already defined <para>You may exclude certain hosts from the set already defined
through use of an <emphasis>exclusion</emphasis> (see <ulink through use of an <emphasis>exclusion</emphasis> (see <ulink

26
Shorewall6/manpages/shorewall6-tcfilters.xml
View File

@ -13,7 +13,7 @@
<refnamediv> <refnamediv>
<refname>tcfilters</refname> <refname>tcfilters</refname>
<refpurpose>shorewall6 u32 classifier rules file</refpurpose> <refpurpose>shorewall6 u32/basic classifier rules file</refpurpose>
</refnamediv> </refnamediv>
<refsynopsisdiv> <refsynopsisdiv>
@ -81,23 +81,35 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">SOURCE</emphasis> - {<emphasis <term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>}</term> role="bold">-</emphasis>|<emphasis>address</emphasis>|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>Source of the packet. May be a host or network <para>Source of the packet. May be a host or network
<replaceable>address</replaceable>. DNS names are not <replaceable>address</replaceable>. DNS names are not allowed.
allowed.</para> Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
may be used if your kernel and ip6tables have the <firstterm>Basic
Ematch </firstterm>capability. The ipset name may optionally be
followed by a number or a comma separated list of src and/or dst
enclosed in square brackets ([...]). See <ulink
url="shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
details.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">DEST</emphasis> - {<emphasis <term><emphasis role="bold">DEST</emphasis> - {<emphasis
role="bold">-</emphasis>|<emphasis>address</emphasis>}}</term> role="bold">-</emphasis>|<emphasis>address</emphasis>|+<replaceable>ipset</replaceable>}</term>
<listitem> <listitem>
<para>Destination of the packet. May be a host or network <para>Destination of the packet. May be a host or network
<replaceable>address</replaceable>. DNS names are not <replaceable>address</replaceable>. DNS names are not allowed.
allowed.</para> Beginning with Shorewall 4.6.0, an ipset name (prefixed with '+')
may be used if your kernel and ip6tables have the <firstterm>Basic
Ematch</firstterm>capability. The ipset name may optionally be
followed by a number or a comma separated list of src and/or dst
enclosed in square brackets ([...]). See <ulink
url="shorewall6-ipsets.html">shorewall6-ipsets(5)</ulink> for
details.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>