Update man pages to allow interface name in DEST column of notrack file.

Signed-off-by: Tom Eastep <teastep@shorewall.net> git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9832 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-22 23:53:30 +01:00 · 2009-04-08 22:45:51 +00:00 · 2009-04-08 22:45:51 +00:00 · c8b48a9bbd
commit c8b48a9bbd
parent 7d2b410904
2 changed files with 50 additions and 5 deletions
--- a/manpages/shorewall-notrack.xml
+++ b/manpages/shorewall-notrack.xml
@ -56,13 +56,40 @@
      </varlistentry>

      <varlistentry>
-        <term>DEST ‒ [<replaceable>address-list</replaceable>]</term>
+        <term>DEST ‒
+        [<replaceable>interface</replaceable>|<replaceable>address-list</replaceable>]</term>

        <listitem>
-          <para>where <replaceable>address-list</replaceable> is a
+          <para>where <replaceable>interface</replaceable> is the name of a
+          network interface and <replaceable>address-list</replaceable> is a
          comma-separated list of addresses (may contain exclusion - see
          <ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
-          (5)).</para>
+          (5)). If an interface is given:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>It must be up and configured with an IPv4 address when
+              Shorewall is started or restarted.</para>
+            </listitem>
+
+            <listitem>
+              <para>All routes out of the interface must be configured when
+              Shorewall is started or restarted.</para>
+            </listitem>
+
+            <listitem>
+              <para>Default routes out of the interface will result in a
+              warning message and will be ignored.</para>
+            </listitem>
+          </itemizedlist>
+
+          <para>These restrictions are because Netfilter doesn't support
+          NOTRACK rules that specify a destination interface (these rules are
+          applied before packets are routed and hence the destination
+          interface is unknown). Shorewall uses the routes out of the
+          interface to replace the interface with an address list
+          corresponding to the networks routed out of the named
+          interface.</para>
        </listitem>
      </varlistentry>

--- a/manpages6/shorewall6-notrack.xml
+++ b/manpages6/shorewall6-notrack.xml
@ -48,13 +48,31 @@
      </varlistentry>

      <varlistentry>
-        <term>DEST ‒ [<replaceable>address-list</replaceable>]</term>
+        <term>DEST ‒
+        [<replaceable>interface</replaceable>|<replaceable>address-list</replaceable>]</term>

        <listitem>
          <para>where <replaceable>address-list</replaceable> is a
          comma-separated list of addresses (may contain exclusion - see
          <ulink url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
-          (5)).</para>
+          (5)). If an interface is given:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>It must be up and configured with an IPv6 address when
+              Shorewall is started or restarted.</para>
+            </listitem>
+
+            <listitem>
+              <para>All routes out of the interface must be configured when
+              Shorewall is started or restarted.</para>
+            </listitem>
+
+            <listitem>
+              <para>Default routes out of the interface will result in a
+              warning message and will be ignored.</para>
+            </listitem>
+          </itemizedlist>
        </listitem>
      </varlistentry>