More manpage updates for 4.4.13

This commit is contained in:
Tom Eastep 2010-09-14 16:47:45 -07:00
parent 94cdc73ec2
commit 10a9ae496a
5 changed files with 75 additions and 33 deletions

View File

@ -1885,7 +1885,7 @@ sub generate_matrix() {
my $fw = firewall_zone;
my $notrackref = $raw_table->{notrack_chain $fw};
my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
my $blackout = $filter_table->{blackout} && @{$filter_table->{blackout}{rules}};
my $blackout = $filter_table->{blackout};
my @zones = off_firewall_zones;
my @vservers = vserver_zones;
my $interface_jumps_added = 0;
@ -2034,7 +2034,7 @@ sub generate_matrix() {
my $interfacematch = '';
my $use_output = 0;
if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( ( $blacklist || @{$interfacechainref->{rules}} ) && ! $chain1ref ) ) {
if ( @vservers || use_output_chain( $interface, $interfacechainref ) || $blacklist || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
$outputref = $interfacechainref;
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
$use_output = 1;
@ -2048,7 +2048,6 @@ sub generate_matrix() {
} else {
$outputref = $filter_table->{OUTPUT};
$interfacematch = match_dest_dev $interface;
$needs_bl_jump{output_chain $interface} = 1 if $blacklist;
}
add_jump $outputref , $nextchain, 0, join( '', $interfacematch, $dest, $ipsec_out_match );

View File

@ -231,13 +231,16 @@ loc eth2 -</programlisting>
<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
file. The value may be specified when running Shorewall 4.4.13
or later and can have a value in the range 1-2</para>
or later and can have a value in the range 1-2; entering no
value is equivalent to blacklist=1.</para>
<orderedlist>
<listitem>
<para>Input blacklisting (default if no value given).
Traffic entering this interface are passed against the
entries in <ulink
<para>Input blacklisting (default if no value given). This
setting is intended for Internet-facing interfaces.</para>
<para>Traffic entering this interface is passed against
the entries in <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">from</emphasis> option
(specified or defaulted). Traffic originating on the
@ -249,9 +252,11 @@ loc eth2 -</programlisting>
</listitem>
<listitem>
<para>Output blacklisting. Forward traffic that entered
through this interface is passed against the entries in
<ulink
<para>Output blacklisting. This setting is intended for
internal interfaces.</para>
<para>Forwarded traffic that entered through this
interface is passed against the entries in <ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>

View File

@ -18,14 +18,25 @@
<cmdsynopsis>
<command>/usr/share/shorewall/modules</command>
</cmdsynopsis>
<cmdsynopsis>
<command>/usr/share/shorewall/helpers</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file specifies which kernel modules Shorewall will load before
trying to determine your iptables/kernel's capabilities. Each record in
the file has the following format:</para>
<para>These files specify which kernel modules Shorewall will load before
trying to determine your iptables/kernel's capabilities.</para>
<para>The <filename>modules</filename> file is used when
LOAD_HELPERS_ONLY=No in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(8); the
<filename>helpers</filename> file is used when
LOAD_HELPERS_ONLY=Yes</para>
<para>Each record in the files has the following format:</para>
<cmdsynopsis>
<command>loadmodule</command>
@ -45,7 +56,8 @@
<para>The /usr/share/shorewall/modules file contains a large number of
modules. Users are encouraged to copy the file to /etc/shorewall/modules
and modify the copy to load only the modules required.<note>
and modify the copy to load only the modules required or to use
LOAD_HELPERS_ONLY=Yes.<note>
<para>If you build monolithic kernels and have not installed
module-init-tools, then create an empty /etc/shorewall/modules file;
that will prevent Shorewall from trying to load modules at all.</para>
@ -63,7 +75,11 @@
<para>/usr/share/shorewall/modules</para>
<para>/usr/share/shorewall/helpers</para>
<para>/etc/shorewall/modules</para>
<para>/etc/shorewall/helpers</para>
</refsect1>
<refsect1>
@ -74,8 +90,9 @@
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</para>
</refsect1>
</refentry>

View File

@ -120,13 +120,16 @@ loc eth2 -</programlisting>
<listitem>
<para>The value may be specified when running Shorewall 4.4.13
or later and can have a value in the range 1-2</para>
or later and can have a value in the range 1-2. Specifying no
value is equivalent to blacklist=1.</para>
<orderedlist>
<listitem>
<para>Input blacklisting (default if no value given).
Traffic entering this interface are passed against the
entries in <ulink
<para>Input blacklisting (default if no value given). This
setting is intended for Internet-facing interfaces.</para>
<para>Traffic entering this interface is passed against
the entries in <ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
that have the <emphasis role="bold">from</emphasis> option
(specified or defaulted). Traffic originating on the
@ -138,8 +141,11 @@ loc eth2 -</programlisting>
</listitem>
<listitem>
<para>Output blacklisting. Traffic entering on this
interface is passed against the entries in <ulink
<para>Output blacklisting. This setting is intended for
internal interfaces.</para>
<para>Traffic entering on this interface is passed against
the entries in <ulink
url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
that have the <emphasis role="bold">to</emphasis>
option.</para>
@ -382,8 +388,8 @@ dmz eth2 -</programlisting>
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
shorewall6-route_rules(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tunnels(5), shorewall6-zones(5)</para>
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
</refsect1>
</refentry>

View File

@ -18,14 +18,23 @@
<cmdsynopsis>
<command>/usr/share/shorewall6/modules</command>
</cmdsynopsis>
<cmdsynopsis>
<command>/usr/share/shorewall6/helpers</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>This file specifies which kernel modules shorewall6 will load before
trying to determine your ip6tables/kernel's capabilities. Each record in
the file has the following format:</para>
<para>These files specify which kernel modules shorewall6 will load before
trying to determine your ip6tables/kernel's capabilities. The
<filename>modules</filename> file is used when LOAD_HELPERS_ONLY=No in
<ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(8); the
<filename>helpers</filename> file is used when
LOAD_HELPERS_ONLY=Yes.</para>
<para>Each record in the files has the following format:</para>
<cmdsynopsis>
<command>loadmodule</command>
@ -45,7 +54,8 @@
<para>The /usr/share/shorewall6/modules file contains a large number of
modules. Users are encouraged to copy the file to /etc/shorewall6/modules
and modify the copy to load only the modules required.<note>
and modify the copy to load only the modules required or use
LOAD_HELPERS_ONLY=Yes.<note>
<para>If you build monolithic kernels and have not installed
module-init-tools, then create an empty /etc/shorewall6/modules file;
that will prevent shorewall6 from trying to load modules at
@ -64,7 +74,11 @@
<para>/usr/share/shorewall6/modules</para>
<para>/usr/share/shorewall6/helpers</para>
<para>/etc/shorewall6/modules</para>
<para>/etc/shorewall6/helpers</para>
</refsect1>
<refsect1>
@ -74,8 +88,9 @@
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>