From da886142f991623d119464aa92e64d1fbdfea9d3 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Tue, 5 Oct 2010 13:45:50 -0700
Subject: [PATCH] Update manpages for ipset lists

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 manpages/shorewall-exclusion.xml | 40 ++++++++++++++++++++++++++------
 manpages/shorewall-ipsets.xml    |  4 +++-
 2 files changed, 36 insertions(+), 8 deletions(-)

diff --git a/manpages/shorewall-exclusion.xml b/manpages/shorewall-exclusion.xml
index ccf601453..6c0a7841a 100644
--- a/manpages/shorewall-exclusion.xml
+++ b/manpages/shorewall-exclusion.xml
@@ -84,6 +84,31 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
         net ACCEPT rule.</para>
       </blockquote>
     </warning>
+
+    <para>In most contexts, ipset names can be used as an
+    <replaceable>address-or-range</replaceable>. Beginning with Shorewall
+    4.4.14, ipset lists enclosed in +[...] may also be included (see <ulink
+    url="shorewall-ipsets.html">shorewall-ipsets</ulink> (5)). The semantics
+    of these lists when used in an exclusion are as follows:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>!+[<replaceable>set1</replaceable>,<replaceable>set2</replaceable>,...<replaceable>setN</replaceable>]
+        produces a packet match if the packet does not match at least one of
+        the sets. In other words, it is like NOT match
+        <replaceable>set1</replaceable> OR NOT match
+        <replaceable>set2</replaceable> ... OR NOT match
+        <replaceable>setN</replaceable>.</para>
+      </listitem>
+
+      <listitem>
+        <para>+[!<replaceable>set1</replaceable>,!<replaceable>set2</replaceable>,...!<replaceable>setN</replaceable>]
+        produces a packet match if the packet does not match any of the sets.
+        In other words, it is like NOT match <replaceable>set1</replaceable>
+        AND NOT match <replaceable>set2</replaceable> ... AND NOT match
+        <replaceable>setN</replaceable>.</para>
+      </listitem>
+    </itemizedlist>
   </refsect1>
 
   <refsect1>
@@ -151,12 +176,13 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
     <title>See ALSO</title>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
   </refsect1>
 </refentry>
diff --git a/manpages/shorewall-ipsets.xml b/manpages/shorewall-ipsets.xml
index f9f5cc826..35b5a83f2 100644
--- a/manpages/shorewall-ipsets.xml
+++ b/manpages/shorewall-ipsets.xml
@@ -72,7 +72,9 @@
 
     <para>Beginning with Shorewall 4.4.14, multiple source or destination
     matches may be specified by enclosing the set names within +[...]. The set
-    names need not be prefixed with '+'.</para>
+    names need not be prefixed with '+'. For information about set lists and
+    exclusion, see <ulink
+    url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5).</para>
   </refsect1>
 
   <refsect1>