Clarify that the tcrules files support ipsets.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-04-28 09:30:16 -07:00
parent 2db87891ec
commit 1f362b32f2
2 changed files with 22 additions and 11 deletions

View File

@ -432,6 +432,11 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
packets originating on the firewall. May not be used with a
chain qualifier (:P, :F, etc.) in the MARK column.</para>
</listitem>
<listitem>
<para><replaceable>address-or-range</replaceable> may include
ipsets.</para>
</listitem>
</orderedlist>
<para>MAC addresses must be prefixed with "~" and use "-" as a
@ -474,6 +479,11 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
itself or qualified by an address list. This causes marking to
occur in the INPUT chain.</para>
</listitem>
<listitem>
<para><replaceable>address-or-range</replaceable> may include
ipsets.</para>
</listitem>
</orderedlist>
<para>You may exclude certain hosts from the set already defined
@ -805,10 +815,10 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>

View File

@ -292,11 +292,12 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
names, IP addresses, MAC addresses and/or subnets for packets being
routed through a common path. List elements may also consist of an
interface name followed by ":" and an address (e.g.,
eth1:&lt;2002:ce7c:92b4::/48&gt;). For example, all packets for
connections masqueraded to eth0 from other interfaces can be matched
in a single rule with several alternative SOURCE criteria. However,
a connection whose packets gets to eth0 in a different way, e.g.,
direct from the firewall itself, needs a different rule.</para>
eth1:&lt;2002:ce7c:92b4::/48&gt;) or an ipset. For example, all
packets for connections masqueraded to eth0 from other interfaces
can be matched in a single rule with several alternative SOURCE
criteria. However, a connection whose packets gets to eth0 in a
different way, e.g., direct from the firewall itself, needs a
different rule.</para>
<para>Accordingly, use $<emphasis role="bold">FW</emphasis> in its
own separate rule for packets originating on the firewall. In such a
@ -330,8 +331,8 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
addresses and/or subnets. If your kernel and ip6tables include
iprange match support, IP address ranges are also allowed. List
elements may also consist of an interface name followed by ":" and
an address (e.g., eth1:&lt;2002:ce7c:92b4::/48&gt;). If the
<emphasis role="bold">MARK</emphasis> column specificies a
an address (e.g., eth1:&lt;2002:ce7c:92b4::/48&gt;) or an ipset. If
the <emphasis role="bold">MARK</emphasis> column specificies a
classification of the form
<emphasis>major</emphasis>:<emphasis>minor</emphasis> then this
column may also contain an interface name.</para>