Doc updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6654 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

docs/Actions.xml

@@ -401,6 +401,32 @@ Reject:REJECT   #Default Action for REJECT policy</programlisting>
           2.6.14).</member>
         </simplelist>
       </listitem>
+
+      <listitem>
+        <para>MARK (Added in Shorewall 3.4.4)</para>
+
+        <para><simplelist>
+            <member>[!]&lt;<emphasis>value</emphasis>&gt;[/&lt;<emphasis>mask</emphasis>&gt;][:C]</member>
+          </simplelist></para>
+
+        <para>Defines a test on the existing packet or connection mark. The
+        rule will match only if the test returns true.</para>
+
+        <para>If you don’t want to define a test but need to specify anything
+        in the following columns, place a "-" in this field.<simplelist>
+            <member> ! — Inverts the test (not equal)</member>
+
+            <member>&lt;<emphasis>value</emphasis>&gt; — Value of the packet
+            or connection mark.</member>
+
+            <member>&lt;<emphasis>mask</emphasis>&gt; —A mask to be applied to
+            the mark before testing.</member>
+
+            <member>:C — Designates a connection mark. If omitted, the packet
+            mark’s value is tested. This option is only supported by
+            Shorewall-perl</member>
+          </simplelist></para>
+      </listitem>
     </itemizedlist>
 
     <para>Omitted column entries should be entered using a dash ("-").</para>

docs/Shorewall-4.xml

@@ -141,6 +141,10 @@
       <listitem>
         <para>Perl File::Temp Module</para>
       </listitem>
+
+      <listitem>
+        <para>Perl Getopt::Long Module</para>
+      </listitem>
     </itemizedlist>
   </section>
 
@@ -411,7 +415,7 @@ fi</programlisting>
 eth0             eth1!192.168.4.9        ...</programlisting>Shorewall-perl
         uses syntax that is consistent with the rest of
         Shorewall:<programlisting>#INTERFACE       SOURCE                  ADDRESSES
-eth0             eth1:!192.168.4.9       ...</programlisting> </para>
+eth0             eth1:!192.168.4.9       ...</programlisting></para>
       </listitem>
 
       <listitem>

docs/Shorewall-perl.xml

@@ -38,10 +38,10 @@
     <title>Shorewall-perl - What is it?</title>
 
     <para>Shorewall-perl is a companion product to Shorewall. It requires
-    Shorewall 3.4.2 or later.</para>
+    Shorewall 3.4.2 or later (Shorewall 3.4.4 or later recommended).</para>
 
     <para>Shorewall-perl contains a re-implementation of the Shorewall
-    compiler written in Perl. The advantages of using Shorewall-perl are over
+    compiler written in Perl. The advantages of using Shorewall-perl over
     Shorewall-shell (the shell-based compiler included in earlier Shorewall
     3.x releases) are:</para>
 
@@ -119,7 +119,9 @@
 
           <listitem>
             <para>BRIDGING=Yes is not supported. The kernel code necessary to
-            support this option was removed in Linux kernel 2.6.20.</para>
+            support this option was removed in Linux kernel 2.6.20. <ulink
+            url="bridge-Shorewall-perl.html">Alternative bridge
+            support</ulink> is provided by Shorewall-perl.</para>
           </listitem>
 
           <listitem>
@@ -129,16 +131,6 @@
             addrtype match requirement is relaxed.</para>
           </listitem>
 
-          <listitem>
-            <para>Because the compiler is now written in Perl, your
-            compile-time extension scripts from earlier versions will no
-            longer work. For now, if you want to use extension scripts, you
-            will need to read the Perl code to see how the compiler operates
-            internally. I will produce documentation before the first official
-            release. Compile-time extension scripts are executed using the
-            Perl 'do FILE' mechanism.</para>
-          </listitem>
-
           <listitem>
             <para>The 'refresh' command is now synonymous with
             'restart'.</para>
@@ -207,20 +199,21 @@
 
               <listitem>
                 <para>There is only a single "pass as-is to iptables" argument
-                (so you must quote that par</para>
+                (so you must quote that part).</para>
               </listitem>
             </itemizedlist>
 
             <para>Example:</para>
 
-            <programlisting>    log_rule_limit
-              'info' , 
-              $chainref , 
-              $chainref-&gt;{name},
-              'DROP' , 
-              '',    #Limit
-              '' ,   #Log tag
-              'add';         </programlisting>
+            <programlisting>    log_rule_limit(
+                   'info' , 
+                   $chainref , 
+                   $chainref-&gt;{name},
+                   'DROP' , 
+                   '',        #Limit
+                   '' ,       #Log tag
+                   'add',     #Command
+                   '-p tcp'); #Added 'as-is' to the generated rule</programlisting>
           </listitem>
 
           <listitem>
@@ -254,13 +247,14 @@
           </listitem>
 
           <listitem>
-            <para>Currently, support for ipsets is untested. That will change
-            with future pre-releases but one thing is certain -- Shorewall is
-            now out of the ipset load/reload business. With scripts generated
-            by the Perl-based Compiler, the Netfilter ruleset is never
-            cleared. That means that there is no opportunity for Shorewall to
-            load/reload your ipsets since that cannot be done while there are
-            any current rules using ipsets.</para>
+            <para>Currently, support for ipsets is only lightly tested (any
+            volunteers?). That will change with future pre-releases but one
+            thing is certain -- Shorewall is now out of the ipset load/reload
+            business. With scripts generated by the Perl-based Compiler, the
+            Netfilter ruleset is never cleared. That means that there is no
+            opportunity for Shorewall to load/reload your ipsets since that
+            cannot be done while there are any current rules using
+            ipsets.</para>
 
             <para>So:</para>
 
@@ -311,9 +305,10 @@ fi</programlisting>
             the Shorewall-perl compiler rather than by the shell, only the
             basic forms of Shell expansion ($variable and ${variable}) are
             supported. The more exotic forms such as ${variable:=default} are
-            not supported. Both variables defined in /etc/shorewall/params and
-            environmental variables (exported by the shell) can be used in
-            configuration files.</para>
+            not supported. Both variables defined in
+            <filename>/etc/shorewall/params</filename> and environmental
+            variables (exported by the shell) can be used in configuration
+            files.</para>
           </listitem>
 
           <listitem>
@@ -324,8 +319,8 @@ fi</programlisting>
 
           <listitem>
             <para>DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset
-            is atomically loaded with one execution of
-            <command>iptables-restore</command>.</para>
+            (with the exception of the dynamic blacklist) is atomically loaded
+            with one execution of <command>iptables-restore</command>.</para>
           </listitem>
 
           <listitem>
@@ -347,7 +342,7 @@ fi</programlisting>
 
           <listitem>
             <para>Shorewall-perl has a single rule generator that is used for
-            all rule-oriented files. So it is important that the syntax is
+            all rule-oriented files. So it is important that the syntax be
             consistent between files.</para>
 
             <para>With shorewall-shell, there is a special syntax in the
@@ -393,6 +388,10 @@ eth0             eth1:!192.168.4.9       ...</programlisting></para>
       <listitem>
         <para>Perl File::Temp Module</para>
       </listitem>
+
+      <listitem>
+        <para>Perl Getopts::Long Module</para>
+      </listitem>
     </itemizedlist>
   </section>
 
@@ -407,24 +406,26 @@ eth0             eth1:!192.168.4.9       ...</programlisting></para>
 
     <para>Either</para>
 
-    <programlisting><command>tar -jxf shorewall-perl-3.9.x.tar.bz2</command>
-<command>cd shorewall-perl-3.9.x</command>
+    <programlisting><command>tar -jxf shorewall-perl-4.0.0-Betax.tar.bz2</command>
+<command>cd shorewall-perl-4.0.0-Betax</command>
 <command>./install.sh</command></programlisting>
 
     <para>or</para>
 
-    <programlisting><command>rpm -ivh shorewall-pl-3.9.x-1.noarch.rpm</command></programlisting>
+    <programlisting><command>rpm -ivh shorewall-pl-4.0.0-0Betax.noarch.rpm</command></programlisting>
 
-    <para>Note that you can also install the Shorewall 3.9.x version of
-    Shorewall. If you do that and still want access to the legacy shell-based
-    compiler, you must also install the Shorewall-shell package.</para>
+    <para>Note that you can also install the current Shorewall 4.0.0 Beta
+    version of Shorewall. If you do that and still want access to the legacy
+    shell-based compiler, you must also install the Shorewall-shell
+    package.</para>
   </section>
 
   <section>
     <title>Using Shorewall-perl</title>
 
     <section>
-      <title>Using Shorewall-perl under Shorewall 3.4.x</title>
+      <title>Using Shorewall-perl under Shorewall 3.4.2 and Shorewall
+      3.4.3</title>
 
       <para>By default, the Shorewall-shell compiler will be used.</para>
 
@@ -435,10 +436,7 @@ eth0             eth1:!192.168.4.9       ...</programlisting></para>
 
       <para>If you add this setting to
       <filename>/etc/shorewall/shorewall.conf</filename> then by default, the
-      new compiler will be used on the system. If you add it to
-      <filename>shorewall.conf</filename> in a separate directory (such as a
-      Shorewall-lite export directory) then the new compiler will only be used
-      when you compile from that directory.</para>
+      new compiler will be used on the system.</para>
 
       <para>Regardless of the setting of SHOREWALL_COMPILER, there is one
       change in Shorewall operation that is triggered simply by installing
@@ -451,7 +449,8 @@ eth0             eth1:!192.168.4.9       ...</programlisting></para>
     </section>
 
     <section>
-      <title>Using Shorewall-perl under Shorewall 3.9.x</title>
+      <title>Using Shorewall-perl under Shorewall 3.4.4/4.0.0 Beta and
+      later.</title>
 
       <para>If you only install one compiler, then that compiler will be
       used.</para>
@@ -468,12 +467,13 @@ eth0             eth1:!192.168.4.9       ...</programlisting></para>
       new compiler will be used on the system. If you add it to
       <filename>shorewall.conf</filename> in a separate directory (such as a
       Shorewall-lite export directory) then the new compiler will only be used
-      when you compile from that directory.</para>
+      when you compile from that directory (4.0.0 Beta6 and later
+      only).</para>
 
       <para>If you only install one compiler, it is suggested that you do not
       set SHOREWALL_COMPILER.</para>
 
-      <para>If you install Shorewall-perl under Shorewall 3.9.2 or later, you
+      <para>If you install Shorewall-perl under Shorewall 3.4.4 or later, you
       can select the compiler to use on the command line using the 'C
       option:<simplelist>
           <member>'-C shell' means use the shell compiler</member>

docs/fallback.xml

@@ -43,7 +43,7 @@
 
     <itemizedlist>
       <listitem>
-        <para>cd to the distribution directory for the version of Seattle
+        <para>cd to the distribution directory for the version of Shoreline
         Firewall that you are currently running (NOT the version that you want
         to fall back to).</para>
       </listitem>
@@ -91,4 +91,26 @@
     <para>If you installed using an rpm, at a root shell prompt type
     <quote>rpm -e shorewall</quote>.</para>
   </section>
+
+  <section>
+    <title>Shorewall-shell and Shorewall-perl</title>
+
+    <para>Shorewall-shell and Shoreall-perl have no configuration files and
+    all of their released files are installed in a single directory. To
+    fallback to a prior release of one of these products using the tarballs,
+    simple re-install the older version. </para>
+
+    <para>To uninstal these products when they have been installed using the
+    tarballs:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>rm -rf /usr/share/shorewall-shell</para>
+      </listitem>
+
+      <listitem>
+        <para>rm -rf /usr/share/shorewall-perl</para>
+      </listitem>
+    </itemizedlist>
+  </section>
 </article>