diff --git a/Shorewall-lite/manpages/shorewall-lite.xml b/Shorewall-lite/manpages/shorewall-lite.xml
index 78d038bfc..c78787bfe 100644
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -326,8 +326,6 @@
-
- directory
@@ -613,7 +611,10 @@
- add
+ add {
+ interface[:host-list]...
+ zone | zone
+ host-list }Adds a list of hosts or subnets to a dynamic zone usually used
@@ -638,7 +639,8 @@
- allow
+ allow
+ addressRe-enables receipt of packets from hosts previously
@@ -650,7 +652,8 @@
- clear
+ clear
+ [-]Clear will remove all rules and chains installed by
@@ -688,7 +691,10 @@
- delete
+ delete {
+ interface[:host-list]...
+ zone | zone
+ host-list }The delete command reverses the effect of an earlier
- disable
+ disable {
+ interface |
+ provider }Added in Shorewall 4.4.26. Disables the optional provider
@@ -715,7 +723,8 @@
- drop
+ drop
+ addressCauses traffic from the listed addresses
@@ -724,7 +733,9 @@
- dump
+ dump [-]
+ [-] [-]
+ [-]Produces a verbose report about the firewall configuration for
@@ -745,7 +756,9 @@
- enable
+ enable {
+ interface |
+ provider }Added in Shorewall 4.4.26. Enables the optional provider
@@ -757,7 +770,8 @@
- forget
+ forget [
+ filename ]Deletes /var/lib/shorewall-lite/filename
@@ -778,7 +792,8 @@
- hits
+ hits [-]
+ Generates several reports from Shorewall-lite log messages in
@@ -788,7 +803,8 @@
- ipcalc
+ ipcalc { address mask |
+ address/vlsm }Ipcalc displays the network address, broadcast address,
@@ -798,7 +814,8 @@
- iprange
+ iprange
+ address1-address2Iprange decomposes the specified range of IP addresses into
@@ -807,7 +824,8 @@
- iptrace
+ iptrace iptables
+ match expressionThis is a low-level debugging command that causes iptables
@@ -835,7 +853,8 @@
- logdrop
+ logdrop
+ addressCauses traffic from the listed addresses
@@ -846,7 +865,8 @@
- logwatch
+ logwatch [-]
+ [refresh-interval]Monitors the log file specified by the LOGFILE option in
@@ -865,7 +885,8 @@
- logreject
+ logreject
+ addressCauses traffic from the listed addresses
@@ -885,7 +906,8 @@
- noiptrace
+ noiptrace iptables
+ match expressionThis is a low-level debugging command that cancels a trace
@@ -937,16 +959,30 @@
- reset
+ reject
+ address
- All the packet and byte counters in the firewall are
- reset.
+ Causes traffic from the listed addresses
+ to be silently rejected.
- restart
+ reset [chain,
+ ...]
+
+
+ Resets the packet and byte counters in the specified
+ chain(s). If no
+ chain is specified, all the packet and
+ byte counters in the firewall are reset.
+
+
+
+
+ restart [-n] [-p]
+ [-]Restart is similar to shorewall-lite
@@ -969,7 +1005,9 @@
- restore
+ restore [-]
+ [-] [-] [
+ filename ]Restore Shorewall-lite to a state saved using the
+ The option causes Shorewall to avoid
+ updating the routing table(s).
+
+ The option, added in Shorewall 4.6.5,
+ causes the connection tracking table to be flushed; the
+ conntrack utility must be installed to use this
+ option.
+
The option was added in Shorewall 4.6.5.
If the option was specified during shorewall save, then the counters saved by
@@ -997,7 +1043,9 @@
- run
+ run
+ command [
+ parameter ... ]Added in Shorewall 4.6.3. Executes
@@ -1014,7 +1062,8 @@
- save
+ save [-] [
+ filename ]The dynamic blacklist is stored in
@@ -1054,7 +1103,8 @@
- bl|blacklists
+ bl|blacklists
+ [-]Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -1067,7 +1117,8 @@
- capabilities
+ [-] capabilitiesDisplays your kernel/iptables capabilities. The
@@ -1078,8 +1129,10 @@
- [ [ ] chain...
- ]
+ [-] [-]
+ [-] [-
+ {||||}]
+ [ chain... ]The rules in each chain are
@@ -1280,7 +1333,9 @@
- start
+ start [-]
+ [-] []
+ [-]Start Shorewall Lite. Existing connections through
@@ -1292,7 +1347,7 @@
table to be flushed; the conntrack utility must
be installed to use this option.
- The option prevents the firewall script
+ The option prevents the firewall script
from modifying the current routing configuration.The option was added in Shorewall 4.6.5.
diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml
index 5763a37c9..fbfef1fe9 100644
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -637,8 +637,6 @@
- -c
-
event
@@ -859,7 +857,10 @@
- add
+ add {
+ interface[:host-list]...
+ zone | zone
+ host-list }Adds a list of hosts or subnets to a dynamic zone usually used
@@ -891,7 +892,8 @@
- allow
+ allow
+ addressRe-enables receipt of packets from hosts previously
@@ -903,7 +905,10 @@
- check
+ check [-]
+ [-] [-] [-]
+ [-] [-]
+ [directory]Compiles the configuration in the specified
@@ -942,7 +947,8 @@
- clear
+ clear
+ [-]Clear will remove all rules and chains installed by Shorewall.
@@ -980,7 +986,10 @@
- compile
+ compile [-]
+ [-] [-] [-]
+ [-] [-] [ directory
+ ] [ pathname ]Compiles the current configuration into the executable file
@@ -1037,7 +1046,10 @@
- delete
+ delete {
+ interface[:host-list]...
+ zone | zone
+ host-list }The delete command reverses the effect of an earlier
- disable
+ disable {
+ interface |
+ provider }Added in Shorewall 4.4.26. Disables the optional provider
@@ -1080,7 +1094,8 @@
- drop
+ drop
+ addressCauses traffic from the listed addresses
@@ -1089,7 +1104,9 @@
- dump
+ dump [-]
+ [-] [-]
+ [-]Produces a verbose report about the firewall configuration for
@@ -1111,7 +1128,9 @@
- enable
+ enable {
+ interface |
+ provider }Added in Shorewall 4.4.26. Enables the optional provider
@@ -1132,7 +1151,10 @@
- export
+ export [
+ directory1 ] [
+ user@]system[:directory2
+ ]If directory1 is omitted, the current
@@ -1156,7 +1178,8 @@
- forget
+ forget [
+ filename ]Deletes /var/lib/shorewall/filename and
@@ -1176,7 +1199,8 @@
- hits
+ hits [-]
+ Generates several reports from Shorewall log messages in the
@@ -1186,7 +1210,8 @@
- ipcalc
+ ipcalc { address mask |
+ address/vlsm }Ipcalc displays the network address, broadcast address,
@@ -1196,7 +1221,8 @@
- iprange
+ iprange
+ address1-address2Iprange decomposes the specified range of IP addresses into
@@ -1205,7 +1231,8 @@
- iptrace
+ iptraceiptables
+ match expressionThis is a low-level debugging command that causes iptables
@@ -1232,7 +1259,11 @@
- load
+ load [-]
+ [-] [-
+ root-user-name] [-]
+ [-] [ directory ]
+ systemIf directory is omitted, the current
@@ -1287,7 +1318,8 @@
- logdrop
+ logdrop
+ addressCauses traffic from the listed addresses
@@ -1299,7 +1331,8 @@
- logwatch
+ logwatch [-]
+ [ refresh-interval ]Monitors the log file specified by the LOGFILE option in
@@ -1317,7 +1350,8 @@
- logreject
+ logreject
+ addressCauses traffic from the listed addresses
@@ -1338,7 +1372,8 @@
- noiptrace
+ noiptrace iptables
+ match expressionThis is a low-level debugging command that cancels a trace
@@ -1390,7 +1425,10 @@
- refresh
+ refresh [-]
+ [-] [-] [-i] [-directory ] [
+ chain... ]All steps performed by restart are
@@ -1442,7 +1480,21 @@
- reload
+ reject
+ address
+
+
+ Causes traffic from the listed addresses
+ to be silently rejected.
+
+
+
+
+ reload [-]
+ [-] [-
+ root-user-name] [-]
+ [-] [ directory ]
+ systemIf directory is omitted, the current
@@ -1497,16 +1549,22 @@
- reset
+ reset [chain,
+ ...]
- All the packet and byte counters in the firewall are
- reset.
+ Resets the packet and byte counters in the specified
+ chain(s). If no
+ chain is specified, all the packet and
+ byte counters in the firewall are reset.
- restart
+ restart [-]
+ [-] [-] [-]
+ [-] [-] [-]
+ [-] [ directory ]Restart is similar to shorewall
@@ -1560,7 +1618,9 @@
- restore
+ restore [-]
+ [-] [-] [
+ filename ]Restore Shorewall to a state saved using the
- run
+ run
+ command [
+ parameter ... ]Added in Shorewall 4.6.3. Executes
@@ -1622,7 +1684,10 @@
- safe-restart
+ safe-restart
+ [-] [-] [-timeout ] [
+ directory ]Only allowed if Shorewall is running. The current
@@ -1647,7 +1712,10 @@
- safe-start
+ safe-start[-] [-]
+ [-timeout ] [
+ directory ]Shorewall is started normally. You will then be prompted
@@ -1669,7 +1737,8 @@
- save
+ save [-] [
+ filename ]The dynamic blacklist is stored in /var/lib/shorewall/save.
@@ -1719,7 +1788,8 @@
- bl|blacklists
+ bl|blacklists
+ [-]Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -1732,7 +1802,8 @@
- capabilities
+ [-] capabilitiesDisplays your kernel/iptables capabilities. The
@@ -1743,8 +1814,10 @@
- [ [ ] chain...
- ]
+ [-] [-]
+ [-] [-
+ {||||}]
+ [ chain... ]The rules in each chain are
@@ -1886,7 +1959,8 @@
- nat
+ [-] natDisplays the Netfilter nat table using the command
@@ -1921,7 +1995,8 @@
- routing
+ [-]
+ routingDisplays the system's IPv4 routing configuration.
@@ -1931,7 +2006,8 @@
- raw
+ [-] rawDisplays the Netfilter raw table using the command
@@ -1965,7 +2041,11 @@
- start
+ start
+ [-] [-]
+ [-] [-] [-]
+ [-] [-] [-] [
+ directory ]Start shorewall. Existing connections through shorewall
@@ -2025,7 +2105,8 @@
- stop
+ stop
+ [-]Stops the firewall. All existing connections, except those
@@ -2047,7 +2128,8 @@
- status
+ status
+ [-]Produces a short report about the state of the
@@ -2060,7 +2142,9 @@
- try
+ try
+ directory [
+ timeout ]If Shorewall is started then the firewall state is saved to a
@@ -2095,7 +2179,11 @@
- update
+ update [-]
+ [-] [-] [-]
+ [-] [-] [-]
+ [-] [-] [
+ directory ]Added in Shorewall 4.4.21 and causes the compiler to update
@@ -2187,7 +2275,8 @@
- version
+ version
+ [-]Displays Shorewall's version. The option
diff --git a/Shorewall6-lite/manpages/shorewall6-lite.xml b/Shorewall6-lite/manpages/shorewall6-lite.xml
index 5916205d2..23146e42f 100644
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -197,37 +197,6 @@
choice="plain">
-
- shorewall6-lite
-
- |
-
- -options
-
-
-
-
- address
- mask
-
- address/vlsm
-
-
-
-
- shorewall6-lite
-
- |
-
- -options
-
-
-
- address1address2
-
-
shorewall6-lite
@@ -347,8 +316,6 @@
-
- directory
@@ -635,7 +602,10 @@
- add
+ add {
+ interface[:host-list]...
+ zone | zone
+ host-list }Adds a list of hosts or subnets to a dynamic zone usually used
@@ -660,7 +630,8 @@
- allow
+ allow
+ addressRe-enables receipt of packets from hosts previously
@@ -671,7 +642,8 @@
- clear
+ clear
+ [-]Clear will remove all rules and chains installed by
@@ -708,7 +680,10 @@
- delete
+ delete {
+ interface[:host-list]...
+ zone | zone
+ host-list }The delete command reverses the effect of an earlier
@@ -723,7 +698,9 @@
- disable
+ disable {
+ interface |
+ provider }Added in Shorewall 4.4.26. Disables the optional provider
@@ -735,7 +712,8 @@
- drop
+ drop
+ addressCauses traffic from the listed
@@ -744,7 +722,9 @@
- dump
+ dump [-]
+ [-] [-]
+ [-]Produces a verbose report about the firewall configuration for
@@ -766,7 +746,9 @@
- enable
+ enable {
+ interface |
+ provider }Added in Shorewall 4.4.26. Enables the optional provider
@@ -778,7 +760,8 @@
- forget
+ forget [
+ filename ]Deletes
@@ -810,26 +793,8 @@
- ipcalc
-
-
- Ipcalc displays the network address, broadcast address,
- network in CIDR notation and netmask corresponding to the
- input[s].
-
-
-
-
- iprange
-
-
- Iprange decomposes the specified range of IP addresses into
- the equivalent list of network/host addresses.
-
-
-
-
- iptrace
+ iptrace ip6tables
+ match expressionThis is a low-level debugging command that causes iptables
@@ -857,7 +822,8 @@
- logdrop
+ logdrop
+ addressCauses traffic from the listed
@@ -869,7 +835,8 @@
- logwatch
+ logwatch [-]
+ [refresh-interval]Monitors the log file specified by the LOGFILE option in
@@ -891,7 +858,8 @@
- logreject
+ logreject
+ addressCauses traffic from the listed
@@ -912,13 +880,15 @@
- noiptrace
+ noiptrace
+ ip6tables match
+ expressionThis is a low-level debugging command that cancels a trace
started by a preceding iptrace command.
- The iptables match expression must
+ The ip6tables match expression must
be one given in the iptrace command being
canceled.
@@ -964,16 +934,30 @@
- reset
+ reject
+ address
- All the packet and byte counters in the firewall are
- reset.
+ Causes traffic from the listed addresses
+ to be silently rejected.
- restart
+ reset [chain,
+ ...]
+
+
+ Resets the packet and byte counters in the specified
+ chain(s). If no
+ chain is specified, all the packet and
+ byte counters in the firewall are reset.
+
+
+
+
+ restart [-n] [-p]
+ [-]Restart is similar to shorewall6-lite start
@@ -1004,7 +988,9 @@
- restore
+ restore [-]
+ [-] [-] [
+ filename ]Restore shorewall6-lite to a state saved using the
@@ -1026,7 +1012,9 @@
- run
+ run
+ command [
+ parameter ... ]Added in Shorewall 4.6.3. Executes
@@ -1043,7 +1031,8 @@
- save
+ save [-] [
+ filename ]The dynamic blacklist is stored in
@@ -1084,7 +1073,8 @@
- bl|blacklists
+ [-] bl|blacklistsAdded in Shorewall 4.6.2. Displays the dynamic chain
@@ -1097,7 +1087,8 @@
- capabilities
+ [-] capabilitiesDisplays your kernel/iptables capabilities. The
@@ -1108,8 +1099,10 @@
- [ [ ] chain...
- ]
+ [-] [-]
+ [-] [-
+ {||||}][
+ chain... ]The rules in each chain are
@@ -1243,11 +1236,12 @@
- nat
+ [-] natDisplays the Netfilter nat table using the command
- iptables -t nat -L -n -v.The
+ ip6tables -t nat -L -n -v.The
option is passed directly through to
iptables and causes actual packet and byte counts to be
displayed. Without this option, those counts are
@@ -1268,17 +1262,8 @@
- routing
-
-
- Displays the system's IPv4 routing configuration. The -c
- option causes the route cache to be displayed in addition to
- the other routing information.
-
-
-
-
- raw
+ [-] rawDisplays the Netfilter raw table using the command
@@ -1290,6 +1275,17 @@
+
+ [-]
+ routing
+
+
+ Displays the system's IPv4 routing configuration. The -c
+ option causes the route cache to be displayed in addition to
+ the other routing information.
+
+
+
tc
@@ -1312,7 +1308,9 @@
- start
+ start [-]
+ [-] []
+ [-]Start Shorewall6 Lite. Existing connections through
@@ -1324,7 +1322,7 @@
table to be flushed; the conntrack utility must
be installed to use this option.
- The option prevents the firewall script
+ The option prevents the firewall script
from modifying the current routing configuration.The option was added in Shorewall 4.6.5.
@@ -1343,7 +1341,8 @@
- stop
+ stop
+ [-]Stops the firewall. All existing connections, except those
@@ -1377,7 +1376,8 @@
- version
+ version
+ [-]Displays Shorewall's version. The option
diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml
index 38d97c7cc..ec0d3d9c4 100644
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -799,7 +799,10 @@
- add
+ add {
+ interface[:host-list]...
+ zone | zone
+ host-list }Added in Shorewall 4.4.21. Adds a list of hosts or subnets to
@@ -831,7 +834,8 @@
- allow
+ allow
+ addressRe-enables receipt of packets from hosts previously
@@ -843,7 +847,10 @@
- check
+ check [-]
+ [-] [-] [-]
+ [-] [-]
+ [directory]Compiles the configuration in the specified
@@ -883,7 +890,8 @@
- clear
+ clear
+ [-]Clear will remove all rules and chains installed by
@@ -915,7 +923,11 @@
- compile
+ compile [-]
+ [-] [-] [-]
+ [-] [-]
+ [directory]
+ [pathname ]Compiles the current configuration into the executable file
@@ -971,7 +983,10 @@
- delete
+ delete {
+ interface[:host-list]...
+ zone | zone
+ host-list }Added in Shorewall 4.4.21. The delete command reverses the
@@ -996,7 +1011,9 @@
- disable
+ disable
+ { interface |
+ provider }Added in Shorewall 4.4.26. Disables the optional provider
@@ -1015,7 +1032,8 @@
- drop
+ drop
+ addressCauses traffic from the listed addresses
@@ -1024,7 +1042,9 @@
- dump
+ dump [-]
+ [-] [-]
+ [-]Produces a verbose report about the firewall configuration for
@@ -1046,7 +1066,9 @@
- enable
+ enable {
+ interface |
+ provider }Added in Shorewall 4.4.26. Enables the optional provider
@@ -1067,7 +1089,10 @@
- export
+ export
+ [directory1 ]
+ [user@]system[:directory2
+ ]If directory1 is omitted, the current
@@ -1091,7 +1116,8 @@
- forget
+ forget [
+ filename ]Deletes /var/lib/shorewall6/filename
@@ -1112,7 +1138,8 @@
- iptrace
+ iptrace ip6tables
+ match expressionThis is a low-level debugging command that causes iptables
@@ -1140,7 +1167,11 @@
- load
+ load [-]
+ [-] [-
+ root-user-name] [-]
+ [-] [ directory ]
+ systemIf directory is omitted, the current
@@ -1195,7 +1226,8 @@
- logdrop
+ logdrop
+ addressCauses traffic from the listed addresses
@@ -1207,7 +1239,8 @@
- logwatch
+ logwatch [-]
+ [refresh-interval]Monitors the log file specified by the LOGFILE option in
@@ -1225,7 +1258,8 @@
- logreject
+ logreject
+ addressCauses traffic from the listed addresses
@@ -1246,7 +1280,9 @@
- noiptrace
+ noiptrace
+ ip6tables match
+ expressionThis is a low-level debugging command that cancels a trace
@@ -1298,7 +1334,10 @@
- refresh
+ refresh [-]
+ [-] [-] [-i]
+ [-directory ] [
+ chain... ]All steps performed by restart are
@@ -1350,7 +1389,21 @@
- reload
+ reject
+ address
+
+
+ Causes traffic from the listed addresses
+ to be silently rejected.
+
+
+
+
+ reload [-]
+ [-] [-
+ root-user-name] [-]
+ [-] [ directory ]
+ systemIf directory is omitted, the current
@@ -1417,7 +1470,10 @@
- restart
+ restart [-]
+ [-] [-] [-]
+ [-] [-] [-]
+ [-] [ directory ]Restart is similar to shorewall6 start
@@ -1472,7 +1528,9 @@
- restore
+ restore [-]
+ [-] [-] [
+ filename ]Restore Shorewall6 to a state saved using the
@@ -1500,7 +1558,9 @@
- run
+ run
+ command [
+ parameter ... ]Added in Shorewall 4.6.3. Executes
@@ -1523,7 +1583,10 @@
- safe-restart
+ safe-restart
+ [-] [-]
+ [-timeout ] [
+ directory ]Only allowed if Shorewall6 is running. The current
@@ -1549,7 +1612,10 @@
- safe-start
+ safe-start
+ [-] [-]
+ [-timeout ] [
+ directory ]Shorewall6 is started normally. You will then be prompted
@@ -1571,7 +1637,8 @@
- save
+ save [-] [
+ filename ]The dynamic blacklist is stored in
@@ -1622,7 +1689,8 @@
- bl|blacklists
+ [-] bl|blacklists
+ Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -1635,7 +1703,8 @@
- capabilities
+ [-] capabilitiesDisplays your kernel/ip6tables capabilities. The
@@ -1646,8 +1715,10 @@
- [ [ ] chain...
- ]
+ [-] [-]
+ [-] [-
+ {||||}][
+ chain... ]The rules in each chain are
@@ -1776,6 +1847,20 @@
+
+ [-] nat
+
+
+ Displays the Netfilter nat table using the command
+ ip6tables -t nat -L -n -v.
+ The -x option is passed
+ directly through to ip6tables and causes actual packet and
+ byte counts to be displayed. Without this option, those counts
+ are abbreviated.
+
+
+
opens
@@ -1799,7 +1884,22 @@
- routing
+ [-] raw
+
+
+ Displays the Netfilter raw table using the command
+ ip6tables -t raw -L -n -v.
+ The -x option is passed
+ directly through to ip6tables and causes actual packet and
+ byte counts to be displayed. Without this option, those counts
+ are abbreviated.
+
+
+
+
+ [-]routingDisplays the system's IPv6 routing configuration. The -c
@@ -1830,7 +1930,11 @@
- start
+ start
+ [-] [-]
+ [-] [-] [-]
+ [-] [-] [-] [
+ directory ]Start shorewall6. Existing connections through shorewall6
@@ -1886,7 +1990,8 @@
- stop
+ stop
+ [-]Stops the firewall. All existing connections, except those
@@ -1898,6 +2003,12 @@
is from systems listed in shorewall6-routestopped(5)
or by ADMINISABSENTMINDED.
+
+ If is given, the command will be processed
+ by the compiled script that executed the last successful start, restart or refresh command if that script exists.
@@ -1915,7 +2026,9 @@
- try
+ try
+ directory [
+ timeout ]If Shorewall6 is started then the firewall state is saved to a
@@ -1949,7 +2062,11 @@
- update
+ update [-]
+ [-] [-] [-]
+ [-] [-] [-]
+ [-] [-] [
+ directory ]Added in Shorewall 4.4.21 and causes the compiler to update
@@ -2041,7 +2158,8 @@
- version
+ version
+ [-]Displays Shorewall6's version. If the