From 5ff1aca52a40a3b1778c14ca146729c718ce82bb Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 30 Apr 2011 21:52:32 -0700 Subject: [PATCH] Augment documentation of the :I and :CI modifiers --- manpages/shorewall-tcrules.xml | 47 +++++++++++++++++++++----------- manpages6/shorewall6-tcrules.xml | 14 ++++++++++ 2 files changed, 45 insertions(+), 16 deletions(-) diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml index 82f65c275..12abaee51 100644 --- a/manpages/shorewall-tcrules.xml +++ b/manpages/shorewall-tcrules.xml @@ -80,18 +80,19 @@ marks (see below). May optionally be followed by :P, :F,:T or + :I where + :P indicates that marking should occur in the + PREROUTING chain, :F indicates + that marking should occur in the FORWARD chain, :I indicates that marking should occur in + the INPUT chain (added in Shorewall 4.4.13), and :T indicates that marking should occur in + the POSTROUTING chain. If neither :P, :F - or :T where :P indicates that marking should occur - in the PREROUTING chain, :F - indicates that marking should occur in the FORWARD chain, :I - indicates that marking should occur in the INPUT chain (added in - Shorewall 4.4.13), and :T - indicates that marking should occur in the POSTROUTING chain. If - neither :P, :F nor :T follow the mark value then the chain - is determined as follows: + nor :T follow the mark value + then the chain is determined as follows: - If the SOURCE is $FW[shorewall.conf(5). + Please note that :I is + included for completeness and affects neither traffic shaping + nor policy routing. + If your kernel and iptables include CONNMARK support then you can also mark the connection rather than the packet. The mark value may be optionally followed by "/" and a mask value (used to determine those bits of the connection mark to actually be set). The mark and optional mask are then - followed by one of:+ + followed by one of: @@ -147,6 +152,16 @@ Mark the connecdtion in the POSTROUTING chain + + + CI + + + Mark the connection in the INPUT chain. This option + is included for completeness and has no applicability to + traffic shaping or policy routing. + + Special considerations for If @@ -805,10 +820,10 @@ SAME $FW 0.0.0.0/0 tcp 80,443 shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5), - shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), - shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), - shorewall-params(5), shorewall-policy(5), shorewall-providers(5), - shorewall-proxyarp(5), shorewall-route_rules(5), + shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), + shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), + shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), + shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) diff --git a/manpages6/shorewall6-tcrules.xml b/manpages6/shorewall6-tcrules.xml index 68892296a..d974fa90a 100644 --- a/manpages6/shorewall6-tcrules.xml +++ b/manpages6/shorewall6-tcrules.xml @@ -103,6 +103,10 @@ MARK_IN_FORWARD_CHAIN in shorewall6.conf(5). + Please note that :I is + included for completeness and affects neither traffic shaping + nor policy routing. + If your kernel and ip6tables include CONNMARK support then you can also mark the connection rather than the packet. @@ -144,6 +148,16 @@ Mark the connection in the POSTROUTING chain + + + CI + + + Mark the connection in the INPUT chain. This option + is included for completeness and has no applicability to + traffic shaping or policy routing. + + Special considerations for If