holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Clarify that the tcrules files support ipsets.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-04-28 09:30:16 -07:00
parent 2db87891ec
commit 1f362b32f2
2 changed files with 22 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
manpages/shorewall-tcrules.xml
View File

@ -432,6 +432,11 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
packets originating on the firewall. May not be used with a packets originating on the firewall. May not be used with a
chain qualifier (:P, :F, etc.) in the MARK column.</para> chain qualifier (:P, :F, etc.) in the MARK column.</para>
</listitem> </listitem>
<listitem>
<para><replaceable>address-or-range</replaceable> may include
ipsets.</para>
</listitem>
</orderedlist> </orderedlist>
<para>MAC addresses must be prefixed with "~" and use "-" as a <para>MAC addresses must be prefixed with "~" and use "-" as a
@ -474,6 +479,11 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
itself or qualified by an address list. This causes marking to itself or qualified by an address list. This causes marking to
occur in the INPUT chain.</para> occur in the INPUT chain.</para>
</listitem> </listitem>
<listitem>
<para><replaceable>address-or-range</replaceable> may include
ipsets.</para>
</listitem>
</orderedlist> </orderedlist>
<para>You may exclude certain hosts from the set already defined <para>You may exclude certain hosts from the set already defined
@ -805,10 +815,10 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5), <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5), shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
shorewall-proxyarp(5), shorewall-route_rules(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para> shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>

15
manpages6/shorewall6-tcrules.xml
View File

@ -292,11 +292,12 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
names, IP addresses, MAC addresses and/or subnets for packets being names, IP addresses, MAC addresses and/or subnets for packets being
routed through a common path. List elements may also consist of an routed through a common path. List elements may also consist of an
interface name followed by ":" and an address (e.g., interface name followed by ":" and an address (e.g.,
eth1:&lt;2002:ce7c:92b4::/48&gt;). For example, all packets for eth1:&lt;2002:ce7c:92b4::/48&gt;) or an ipset. For example, all
connections masqueraded to eth0 from other interfaces can be matched packets for connections masqueraded to eth0 from other interfaces
in a single rule with several alternative SOURCE criteria. However, can be matched in a single rule with several alternative SOURCE
a connection whose packets gets to eth0 in a different way, e.g., criteria. However, a connection whose packets gets to eth0 in a
direct from the firewall itself, needs a different rule.</para> different way, e.g., direct from the firewall itself, needs a
different rule.</para>
<para>Accordingly, use $<emphasis role="bold">FW</emphasis> in its <para>Accordingly, use $<emphasis role="bold">FW</emphasis> in its
own separate rule for packets originating on the firewall. In such a own separate rule for packets originating on the firewall. In such a
@ -330,8 +331,8 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
addresses and/or subnets. If your kernel and ip6tables include addresses and/or subnets. If your kernel and ip6tables include
iprange match support, IP address ranges are also allowed. List iprange match support, IP address ranges are also allowed. List
elements may also consist of an interface name followed by ":" and elements may also consist of an interface name followed by ":" and
an address (e.g., eth1:&lt;2002:ce7c:92b4::/48&gt;). If the an address (e.g., eth1:&lt;2002:ce7c:92b4::/48&gt;) or an ipset. If
<emphasis role="bold">MARK</emphasis> column specificies a the <emphasis role="bold">MARK</emphasis> column specificies a
classification of the form classification of the form
<emphasis>major</emphasis>:<emphasis>minor</emphasis> then this <emphasis>major</emphasis>:<emphasis>minor</emphasis> then this
column may also contain an interface name.</para> column may also contain an interface name.</para>