From 320cc822fee63e3fc5c16ab0c6f8216bf141e417 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 5 Dec 2011 13:51:18 -0800 Subject: [PATCH] Flesh out CT description in the man pages Signed-off-by: Tom Eastep --- manpages/shorewall-notrack.xml | 60 +++++++++++++++++++++++++++++--- manpages6/shorewall6-notrack.xml | 58 +++++++++++++++++++++++++++--- 2 files changed, 109 insertions(+), 9 deletions(-) diff --git a/manpages/shorewall-notrack.xml b/manpages/shorewall-notrack.xml index 1852df6d9..756cbffd8 100644 --- a/manpages/shorewall-notrack.xml +++ b/manpages/shorewall-notrack.xml @@ -53,15 +53,65 @@ ACTION - {NOTRACK|CT:option:args} + role="bold">CT:option[:arg,...]} This column is only present when FORMAT = 2. Values other than NOTRACK require CT Target support in your - iptables and kernel. Type man iptables and search - for the CT target extension. The text will describe the - options and - args supported. + iptables and kernel. + + Possible values for option and + args are: + + + + (no + arg) + + Disables connection tracking for this packet, the same as + if NOTRACK has been specified in this column. + + + + :name + + Use the helper identified by the name to this connection. + This is more flexible than loading the conntrack helper with + preset ports. + + + + :event,... + + Only generate the specified conntrack events for this + connection. Possible event types are: new, related, destroy, reply, assured, protoinfo, helper, mark (this is connection mark, not packet + mark), natseqinfo, and + secmark. + + + + + + Only generate a new expectation events for this + connection. + + + + :id + + Assign this packet to zone id + and only have lookups done in that zone. By default, packets + have zone 0. + + When FORMAT = 1, this column is not present and the rule is processed as if NOTRACK had been entered in this column. diff --git a/manpages6/shorewall6-notrack.xml b/manpages6/shorewall6-notrack.xml index 9193f44b8..f5344b884 100644 --- a/manpages6/shorewall6-notrack.xml +++ b/manpages6/shorewall6-notrack.xml @@ -57,10 +57,60 @@ This column is only present when FORMAT = 2. Values other than NOTRACK require CT Target support in your - iptables and kernel. Type man iptables and search - for the CT target extension. The text will describe the - options and - args supported. + iptables and kernel. + + Possible values for option and + args are: + + + + (no + arg) + + Disables connection tracking for this packet, the same as + if NOTRACK has been specified in this column. + + + + :name + + Use the helper identified by the name to this connection. + This is more flexible than loading the conntrack helper with + preset ports. + + + + :event,... + + Only generate the specified conntrack events for this + connection. Possible event types are: new, related, destroy, reply, assured, protoinfo, helper, mark (this is connection mark, not packet + mark), natseqinfo, and + secmark. + + + + + + Only generate a new expectation events for this + connection. + + + + :id + + Assign this packet to zone id + and only have lookups done in that zone. By default, packets + have zone 0. + + When FORMAT = 1, this column is not present and the rule is processed as if NOTRACK had been entered in this column.