From 09fda9eb6ca969c53c7b9a0d53234feac338661b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 10 Feb 2017 11:43:04 -0800 Subject: [PATCH] Manpage updates: - interfaces: Clarify the 'bridge' option - rtrules: Warn about similar rules with same priority --- Shorewall/manpages/shorewall-interfaces.xml | 6 ++++++ Shorewall/manpages/shorewall-rtrules.xml | 11 +++++++++++ Shorewall6/manpages/shorewall6-interfaces.xml | 6 ++++++ Shorewall6/manpages/shorewall6-rtrules.xml | 11 +++++++++++ 4 files changed, 34 insertions(+) diff --git a/Shorewall/manpages/shorewall-interfaces.xml b/Shorewall/manpages/shorewall-interfaces.xml index 10dd41936..903c71f12 100644 --- a/Shorewall/manpages/shorewall-interfaces.xml +++ b/Shorewall/manpages/shorewall-interfaces.xml @@ -303,6 +303,12 @@ loc eth2 - Designates the interface as a bridge. Beginning with Shorewall 4.4.7, setting this option also sets . + + + If you have a bridge that you don't intend to define + bport zones on, then it is best to omit this option and + simply specify . + diff --git a/Shorewall/manpages/shorewall-rtrules.xml b/Shorewall/manpages/shorewall-rtrules.xml index bdd5d23d2..03b5e4bb9 100644 --- a/Shorewall/manpages/shorewall-rtrules.xml +++ b/Shorewall/manpages/shorewall-rtrules.xml @@ -129,6 +129,17 @@ Beginning with Shorewall 5.0.2, the priority may be followed optionally by an exclaimation mark ("!"). This causes the rule to remain in place if the interface is disabled. + + + Be careful when using rules of the same PRIORITY as some + unexpected behavior can occur when multiple rules have the same + SOURCE. For example, in the following rules, the second rule + overwrites the first unless the priority in the second is changed + to 19001 or higher: + + 10.10.0.0/24 192.168.5.6 provider1 19000 +10.10.0.0/24 - provider2 19000 + diff --git a/Shorewall6/manpages/shorewall6-interfaces.xml b/Shorewall6/manpages/shorewall6-interfaces.xml index de9e8b300..80b9c84d6 100644 --- a/Shorewall6/manpages/shorewall6-interfaces.xml +++ b/Shorewall6/manpages/shorewall6-interfaces.xml @@ -234,6 +234,12 @@ loc eth2 - Designates the interface as a bridge. Beginning with Shorewall 4.4.7, setting this option also sets . + + + If you have a bridge that you don't intend to define + bport zones on, then it is best to omit this option and + simply specify . + diff --git a/Shorewall6/manpages/shorewall6-rtrules.xml b/Shorewall6/manpages/shorewall6-rtrules.xml index 28a1dc01e..1ede1f500 100644 --- a/Shorewall6/manpages/shorewall6-rtrules.xml +++ b/Shorewall6/manpages/shorewall6-rtrules.xml @@ -129,6 +129,17 @@ Beginning with Shorewall 5.0.2, the priority may be followed optionally by an exclaimation mark ("!"). This causes the rule to remain in place if the interface is disabled. + + + Be careful when using rules of the same PRIORITY as some + unexpected behavior can occur when multiple rules have the same + SOURCE. For example, in the following rules, the second rule + overwrites the first unless the priority in the second is changed + to 19001 or higher: + + 2601:601:8b00:bf0::/64 2001:470:b:787::542 provider1 19000 +2601:601:8b00:bf0::/64 - provider2 19000 +