diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml
index 82f65c275..641f607cd 100644
--- a/manpages/shorewall-tcrules.xml
+++ b/manpages/shorewall-tcrules.xml
@@ -432,6 +432,11 @@ SAME $FW 0.0.0.0/0 tcp 80,443
packets originating on the firewall. May not be used with a
chain qualifier (:P, :F, etc.) in the MARK column.
+
+
+ address-or-range may include
+ ipsets.
+
MAC addresses must be prefixed with "~" and use "-" as a
@@ -474,6 +479,11 @@ SAME $FW 0.0.0.0/0 tcp 80,443
itself or qualified by an address list. This causes marking to
occur in the INPUT chain.
+
+
+ address-or-range may include
+ ipsets.
+
You may exclude certain hosts from the set already defined
@@ -805,10 +815,10 @@ SAME $FW 0.0.0.0/0 tcp 80,443
shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
- shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
- shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
- shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
- shorewall-proxyarp(5), shorewall-route_rules(5),
+ shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+ shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+ shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+ shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
diff --git a/manpages6/shorewall6-tcrules.xml b/manpages6/shorewall6-tcrules.xml
index 68892296a..879426d8c 100644
--- a/manpages6/shorewall6-tcrules.xml
+++ b/manpages6/shorewall6-tcrules.xml
@@ -292,11 +292,12 @@ SAME $FW 0.0.0.0/0 tcp 80,443
names, IP addresses, MAC addresses and/or subnets for packets being
routed through a common path. List elements may also consist of an
interface name followed by ":" and an address (e.g.,
- eth1:<2002:ce7c:92b4::/48>). For example, all packets for
- connections masqueraded to eth0 from other interfaces can be matched
- in a single rule with several alternative SOURCE criteria. However,
- a connection whose packets gets to eth0 in a different way, e.g.,
- direct from the firewall itself, needs a different rule.
+ eth1:<2002:ce7c:92b4::/48>) or an ipset. For example, all
+ packets for connections masqueraded to eth0 from other interfaces
+ can be matched in a single rule with several alternative SOURCE
+ criteria. However, a connection whose packets gets to eth0 in a
+ different way, e.g., direct from the firewall itself, needs a
+ different rule.
Accordingly, use $FW in its
own separate rule for packets originating on the firewall. In such a
@@ -330,8 +331,8 @@ SAME $FW 0.0.0.0/0 tcp 80,443
addresses and/or subnets. If your kernel and ip6tables include
iprange match support, IP address ranges are also allowed. List
elements may also consist of an interface name followed by ":" and
- an address (e.g., eth1:<2002:ce7c:92b4::/48>). If the
- MARK column specificies a
+ an address (e.g., eth1:<2002:ce7c:92b4::/48>) or an ipset. If
+ the MARK column specificies a
classification of the form
major:minor then this
column may also contain an interface name.