From c0b56512a7006d266053e4afee9367033996debd Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sun, 1 Jun 2008 13:57:21 +0000
Subject: [PATCH] Add zone ordering information to shorewall-zones(8)

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8546 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 manpages/shorewall-zones.xml | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/manpages/shorewall-zones.xml b/manpages/shorewall-zones.xml
index 70a2d0c28..9cb031fe1 100644
--- a/manpages/shorewall-zones.xml
+++ b/manpages/shorewall-zones.xml
@@ -44,10 +44,13 @@
           default LOGFORMAT, zone names can be at most 5 characters
           long.</para>
 
-          <para>Where a zone is nested in one or more other zones, you may
-          follow the (sub)zone name by ":" and a comma-separated list of the
-          parent zones. The parent zones must have been declared in earlier
-          records in this file. See <ulink
+          <para>The order in which Shorewall matches addresses from packets to
+          zones is determined by the order of zone declarations. Where a zone
+          is nested in one or more other zones, you may either ensure that the
+          nested zone precedes its parents in this file, or you may follow the
+          (sub)zone name by ":" and a comma-separated list of the parent
+          zones. The parent zones must have been declared in earlier records
+          in this file. See <ulink
           url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for
           additional information.</para>
 
@@ -60,7 +63,8 @@ c:a,b     ipv4</programlisting>
 
           <para>Currently, Shorewall uses this information to reorder the zone
           list so that parent zones appear after their subzones in the list.
-          The IMPLICIT_CONTINUE option in shorewall.conf can also create
+          The IMPLICIT_CONTINUE option in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5 can also create
           implicit CONTINUE policies to/from the subzone.</para>
 
           <para>In the future, Shorewall may make additional use of nesting
@@ -241,6 +245,9 @@ c:a,b     ipv4</programlisting>
   <refsect1>
     <title>See ALSO</title>
 
+    <para><ulink
+    url="http://www.shorewall.net/Multiple_Zones.html">http://www.shorewall.net/Multiple_Zones.html</ulink>.</para>
+
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
     shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),