From 1f362b32f2096fd8dcd9491bc0b8d39dcb3e5802 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 28 Apr 2011 09:30:16 -0700 Subject: [PATCH] Clarify that the tcrules files support ipsets. Signed-off-by: Tom Eastep --- manpages/shorewall-tcrules.xml | 18 ++++++++++++++---- manpages6/shorewall6-tcrules.xml | 15 ++++++++------- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml index 82f65c275..641f607cd 100644 --- a/manpages/shorewall-tcrules.xml +++ b/manpages/shorewall-tcrules.xml @@ -432,6 +432,11 @@ SAME $FW 0.0.0.0/0 tcp 80,443 packets originating on the firewall. May not be used with a chain qualifier (:P, :F, etc.) in the MARK column. + + + address-or-range may include + ipsets. + MAC addresses must be prefixed with "~" and use "-" as a @@ -474,6 +479,11 @@ SAME $FW 0.0.0.0/0 tcp 80,443 itself or qualified by an address list. This causes marking to occur in the INPUT chain. + + + address-or-range may include + ipsets. + You may exclude certain hosts from the set already defined @@ -805,10 +815,10 @@ SAME $FW 0.0.0.0/0 tcp 80,443 shorewall(8), shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5), - shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), - shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), - shorewall-params(5), shorewall-policy(5), shorewall-providers(5), - shorewall-proxyarp(5), shorewall-route_rules(5), + shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), + shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), + shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), + shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) diff --git a/manpages6/shorewall6-tcrules.xml b/manpages6/shorewall6-tcrules.xml index 68892296a..879426d8c 100644 --- a/manpages6/shorewall6-tcrules.xml +++ b/manpages6/shorewall6-tcrules.xml @@ -292,11 +292,12 @@ SAME $FW 0.0.0.0/0 tcp 80,443 names, IP addresses, MAC addresses and/or subnets for packets being routed through a common path. List elements may also consist of an interface name followed by ":" and an address (e.g., - eth1:<2002:ce7c:92b4::/48>). For example, all packets for - connections masqueraded to eth0 from other interfaces can be matched - in a single rule with several alternative SOURCE criteria. However, - a connection whose packets gets to eth0 in a different way, e.g., - direct from the firewall itself, needs a different rule. + eth1:<2002:ce7c:92b4::/48>) or an ipset. For example, all + packets for connections masqueraded to eth0 from other interfaces + can be matched in a single rule with several alternative SOURCE + criteria. However, a connection whose packets gets to eth0 in a + different way, e.g., direct from the firewall itself, needs a + different rule. Accordingly, use $FW in its own separate rule for packets originating on the firewall. In such a @@ -330,8 +331,8 @@ SAME $FW 0.0.0.0/0 tcp 80,443 addresses and/or subnets. If your kernel and ip6tables include iprange match support, IP address ranges are also allowed. List elements may also consist of an interface name followed by ":" and - an address (e.g., eth1:<2002:ce7c:92b4::/48>). If the - MARK column specificies a + an address (e.g., eth1:<2002:ce7c:92b4::/48>) or an ipset. If + the MARK column specificies a classification of the form major:minor then this column may also contain an interface name.