diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm
index 7ffeb05c0..17fbbdfb6 100644
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -141,22 +141,14 @@ sub process_section ($) {
#
# Accounting
#
-sub process_accounting_rule( ) {
+sub process_accounting_rule1( $$$$$$$$$$$ ) {
+
+ my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;
$acctable = $config{ACCOUNTING_TABLE};
$jumpchainref = 0;
- my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
- split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 };
-
- fatal_error 'ACTION must be specified' if $action eq '-';
-
- if ( $action eq 'SECTION' ) {
- process_section( $chain );
- return 0;
- }
-
$asection = LEGACY if $asection < 0;
our $disposition = '';
@@ -409,6 +401,28 @@ sub process_accounting_rule( ) {
return 1;
}
+sub process_accounting_rule( ) {
+
+ my ($action, $chain, $source, $dest, $protos, $ports, $sports, $user, $mark, $ipsec, $headers ) =
+ split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 };
+
+ my $nonempty = 0;
+
+ for my $proto ( split_list $protos, 'Protocol' ) {
+ fatal_error 'ACTION must be specified' if $action eq '-';
+
+ if ( $action eq 'SECTION' ) {
+ process_section( $chain );
+ } else {
+ for my $proto ( split_list $protos, 'Protocol' ) {
+ $nonempty |= process_accounting_rule1( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers );
+ }
+ }
+ }
+
+ $nonempty;
+}
+
sub setup_accounting() {
if ( my $fn = open_file 'accounting', 1, 1 ) {
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 2fbe49488..9ca14dc1c 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -682,7 +682,7 @@ sub process_stoppedrules() {
$result = 1;
- my ( $target, $source, $dest, $proto, $ports, $sports ) =
+ my ( $target, $source, $dest, $protos, $ports, $sports ) =
split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 };
fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/;
@@ -730,16 +730,18 @@ sub process_stoppedrules() {
unless ( $restriction == OUTPUT_RESTRICT
&& $target eq 'ACCEPT'
&& $config{ADMINISABSENTMINDED} ) {
- expand_rule( $chainref ,
- $restriction ,
- do_proto( $proto, $ports, $sports ) ,
- $source ,
- $dest ,
- '' ,
- $target,
- '',
- $disposition,
- do_proto( $proto, '-', '-' ) );
+ for my $proto ( split_list $protos, 'Protocol' ) {
+ expand_rule( $chainref ,
+ $restriction ,
+ do_proto( $proto, $ports, $sports ) ,
+ $source ,
+ $dest ,
+ '' ,
+ $target,
+ '',
+ $disposition,
+ do_proto( $proto, '-', '-' ) );
+ }
} else {
warning_message "Redundant OUTPUT rule ignored because ADMINISABSENTMINDED=Yes";
}
diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm
index 7e66c4bf7..d9730e1d7 100644
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -56,12 +56,9 @@ sub initialize() {
#
# Process a single rule from the the masq file
#
-sub process_one_masq( )
+sub process_one_masq1( $$$$$$$$$$ )
{
- my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
- split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
-
- fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+ my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) = @_;
my $pre_nat;
my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
@@ -272,6 +269,18 @@ sub process_one_masq( )
}
+sub process_one_masq( )
+{
+ my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
+ split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
+
+ fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+
+ for my $proto ( split_list $protos, 'Protocol' ) {
+ process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest );
+ }
+}
+
#
# Process the masq file
#
diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm
index e3e358743..777f509c9 100644
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -234,44 +234,46 @@ sub setup_conntrack() {
first_entry( "$doing $fn..." );
while ( read_a_line( NORMAL_READ ) ) {
- my ( $source, $dest, $proto, $ports, $sports, $user, $switch );
+ my ( $source, $dest, $protos, $ports, $sports, $user, $switch );
if ( $file_format == 1 ) {
- ( $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
+ ( $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
$action = 'NOTRACK';
} else {
- ( $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
+ ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
}
$empty = 0;
- if ( $file_format < 3 ) {
- if ( $source =~ /^all(-)?(:(.+))?$/ ) {
- fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
- for my $zone ( $1 ? off_firewall_zones : all_zones ) {
- process_conntrack_rule( undef ,
- undef,
- $action,
- $zone . ( $2 || ''),
- $dest,
- $proto,
- $ports,
- $sports,
- $user ,
- $switch );
+ for my $proto ( split_list $protos, 'Protocol' ) {
+ if ( $file_format < 3 ) {
+ if ( $source =~ /^all(-)?(:(.+))?$/ ) {
+ fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
+ for my $zone ( $1 ? off_firewall_zones : all_zones ) {
+ process_conntrack_rule( undef ,
+ undef,
+ $action,
+ $zone . ( $2 || ''),
+ $dest,
+ $proto,
+ $ports,
+ $sports,
+ $user ,
+ $switch );
+ }
+ } else {
+ process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
}
+ } elsif ( $action =~ s/:O$// ) {
+ process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+ } elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
+ process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+ process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} else {
- process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+ $action =~ s/:P//;
+ process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
}
- } elsif ( $action =~ s/:O$// ) {
- process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
- } elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
- process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
- process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
- } else {
- $action =~ s/:P//;
- process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
- }
+ }
}
if ( $name eq 'notrack') {
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index d1923ec2b..223039bab 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -204,16 +204,8 @@ sub initialize( $ ) {
$divertref = 0;
}
-sub process_tc_rule( ) {
- my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
- if ( $family == F_IPV4 ) {
- ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
- split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, {}, 15;
- $headers = '-';
- } else {
- ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
- split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, {}, 16;
- }
+sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
+ my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;
our %tccmd;
@@ -693,6 +685,22 @@ sub process_tc_rule( ) {
}
+sub process_tc_rule( ) {
+ my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+ if ( $family == F_IPV4 ) {
+ ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
+ split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, {}, 15;
+ $headers = '-';
+ } else {
+ ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
+ split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, {}, 16;
+ }
+
+ for my $proto (split_list( $protos, 'Protocol' ) ) {
+ process_tc_rule1( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+ }
+}
+
sub rate_to_kbit( $ ) {
my $rate = $_[0];
@@ -1539,11 +1547,9 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
#
# Process a record from the tcfilters file
#
-sub process_tc_filter() {
+sub process_tc_filter1( $$$$$$$$$ ) {
- my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 };
-
- fatal_error 'CLASS must be specified' if $devclass eq '-';
+ my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority ) = @_;
my ($device, $class, $rest ) = split /:/, $devclass, 3;
@@ -1814,6 +1820,18 @@ sub process_tc_filter() {
}
+sub process_tc_filter() {
+
+ my ( $devclass, $source, $dest , $protos, $portlist , $sportlist, $tos, $length, $priority )
+ = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 };
+
+ fatal_error 'CLASS must be specified' if $devclass eq '-';
+
+ for my $proto ( split_list $protos, 'Protocol' ) {
+ process_tc_filter1( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority );
+ }
+}
+
#
# Process the tcfilter file storing the compiled filters in the %tcdevices table
#
@@ -1854,16 +1872,8 @@ sub process_tcfilters() {
#
# Process a tcpri record
#
-sub process_tc_priority() {
- my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 };
-
- fatal_error 'BAND must be specified' if $band eq '-';
-
- fatal_error "Invalid tcpri entry" if ( $proto eq '-' &&
- $ports eq '-' &&
- $address eq '-' &&
- $interface eq '-' &&
- $helper eq '-' );
+sub process_tc_priority1( $$$$$$ ) {
+ my ( $band, $proto, $ports , $address, $interface, $helper ) = @_;
my $val = numeric_value $band;
@@ -1911,6 +1921,26 @@ sub process_tc_priority() {
}
}
+sub process_tc_priority() {
+ my ( $band, $protos, $ports , $address, $interface, $helper ) = split_line1 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 };
+
+ fatal_error 'BAND must be specified' if $band eq '-';
+
+ fatal_error "Invalid tcpri entry" if ( $protos eq '-' &&
+ $ports eq '-' &&
+ $address eq '-' &&
+ $interface eq '-' &&
+ $helper eq '-' );
+
+ my $val = numeric_value $band;
+
+ fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
+
+ for my $proto ( split_list $protos, 'Protocol' ) {
+ process_tc_priority1( $band, $proto, $ports , $address, $interface, $helper );
+ }
+}
+
#
# Process tcinterfaces
#
@@ -2267,11 +2297,8 @@ sub setup_traffic_shaping() {
#
# Process a record in the secmarks file
#
-sub process_secmark_rule() {
- my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) =
- split_line1( 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
-
- fatal_error 'SECMARK must be specified' if $secmark eq '-';
+sub process_secmark_rule1( $$$$$$$$$ ) {
+ my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = @_;
my %chns = ( T => 'tcpost' ,
P => 'tcpre' ,
@@ -2331,6 +2358,20 @@ sub process_secmark_rule() {
}
+#
+# Process a record in the secmarks file
+#
+sub process_secmark_rule() {
+ my ( $secmark, $chainin, $source, $dest, $protos, $dport, $sport, $user, $mark ) =
+ split_line1( 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
+
+ fatal_error 'SECMARK must be specified' if $secmark eq '-';
+
+ for my $proto ( split_list( $protos, 'Protocol' ) ) {
+ process_secmark_rule1( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark );
+ }
+}
+
#
# Process the tcrules file and setup traffic shaping
#
diff --git a/Shorewall/manpages/shorewall-accounting.xml b/Shorewall/manpages/shorewall-accounting.xml
index 060b9eee3..21086ce5f 100644
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -392,12 +392,12 @@
PROTOCOL (proto) - {-|any|{any|all|protocol-name|protocol-number|ipp2p[:{udp|all}]}
+ role="bold">all}]}[,...]}
A protocol-name (from protocols(5)), a
@@ -405,6 +405,9 @@
role="bold">ipp2p, ipp2p:udp or ipp2p:all
+
+ Beginning with Shorewall 4.5.12, this column can accept a
+ comma-separated list of protocols.
diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml
index 80304fbb5..efbfba528 100644
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -176,10 +176,10 @@
-
+
-
+
@@ -348,11 +348,18 @@
PROTO ‒
- protocol-name-or-number
+ protocol-name-or-number[,...]
A protocol name from /etc/protocols or a
protocol number.
+
+ Beginning with Shorewall 4.5.12, this column is labeled
+ PROTOS and can accept a
+ comma-separated list of protocols. Either proto or protos is accepted in the alternate input
+ format.
diff --git a/Shorewall/manpages/shorewall-masq.xml b/Shorewall/manpages/shorewall-masq.xml
index 1220304f4..2c45db006 100644
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -219,12 +219,15 @@
PROTO (Optional) - {-|[!]protocol-name|[!]protocol-number}
+ role="bold">-|[!]{protocol-name|protocol-number}[,...]}
If you wish to restrict this entry to a particular protocol
then enter the protocol name (from protocols(5)) or number
here.
+
+ Beginning with Shorewall 4.5.12, this column can accept a
+ comma-separated list of protocols.
diff --git a/Shorewall/manpages/shorewall-secmarks.xml b/Shorewall/manpages/shorewall-secmarks.xml
index da085489e..4dd094212 100644
--- a/Shorewall/manpages/shorewall-secmarks.xml
+++ b/Shorewall/manpages/shorewall-secmarks.xml
@@ -227,11 +227,14 @@
role="bold">ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
+ role="bold">all}[,...]
Protocol - ipp2p requires
ipp2p match support in your kernel and iptables.
+
+ Beginning with Shorewall 4.5.12, this column can accept a
+ comma-separated list of protocols.
diff --git a/Shorewall/manpages/shorewall-stoppedrules.xml b/Shorewall/manpages/shorewall-stoppedrules.xml
index 5f3acc4de..29cc18768 100644
--- a/Shorewall/manpages/shorewall-stoppedrules.xml
+++ b/Shorewall/manpages/shorewall-stoppedrules.xml
@@ -92,10 +92,13 @@
PROTO (Optional) ‒
- protocol-name-or-number
+ protocol-name-or-number[,...]
Protocol.
+
+ Beginning with Shorewall 4.5.12, this column can accept a
+ comma-separated list of protocols.
diff --git a/Shorewall/manpages/shorewall-tcfilters.xml b/Shorewall/manpages/shorewall-tcfilters.xml
index 40cbd0868..29e2c80f0 100644
--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@@ -105,11 +105,14 @@
PROTO - {-|protocol-number|protocol-name|all}
+ role="bold">-|{protocol-number|protocol-name|all}[,...]}
Protocol.
+
+ Beginning with Shorewall 4.5.12, this column can accept a
+ comma-separated list of protocols.
diff --git a/Shorewall/manpages/shorewall-tcpri.xml b/Shorewall/manpages/shorewall-tcpri.xml
index b9dd81107..a25e69472 100644
--- a/Shorewall/manpages/shorewall-tcpri.xml
+++ b/Shorewall/manpages/shorewall-tcpri.xml
@@ -72,11 +72,14 @@
PROTO -
- protocol
+ protocol[,...]
Optional. The name or number of an IPv4
protocol.
+
+ Beginning with Shorewall 4.5.12, this column can accept a
+ comma-separated list of protocols.
@@ -155,10 +158,9 @@
shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
- shorewall-proxyarp(5), shorewall-rtrules(5),
- shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
- shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
- shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
- shorewall-zones(5)
+ shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
+ shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
diff --git a/Shorewall/manpages/shorewall-tcrules.xml b/Shorewall/manpages/shorewall-tcrules.xml
index 9600559a7..a6bc173fa 100644
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -877,15 +877,18 @@ Normal-Service => 0x00
PROTO - {-|tcp:syn|{tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
+ role="bold">all}[,...]}
Protocol - ipp2p requires
ipp2p match support in your kernel and iptables.
+
+ Beginning with Shorewall 4.5.12, this column can accept a
+ comma-separated list of protocols.
diff --git a/Shorewall6/manpages/shorewall6-accounting.xml b/Shorewall6/manpages/shorewall6-accounting.xml
index 4f94c59c1..32b36bbbf 100644
--- a/Shorewall6/manpages/shorewall6-accounting.xml
+++ b/Shorewall6/manpages/shorewall6-accounting.xml
@@ -346,6 +346,9 @@
role="bold">ipp2p, ipp2p:udp or ipp2p:all
+
+ Beginning with Shorewall 4.5.12, this column can accept a
+ comma-separated list of protocols.
diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml
index acb54d62c..25bd14464 100644
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -244,11 +244,14 @@
PROTO ‒
- protocol-name-or-number
+ protocol-name-or-number[,...]
A protocol name from /etc/protocols or a
protocol number.
+
+ Beginning with Shorewall 4.5.12, this column can accept a
+ comma-separated list of protocols.
diff --git a/Shorewall6/manpages/shorewall6-secmarks.xml b/Shorewall6/manpages/shorewall6-secmarks.xml
index 63d9bf210..547683b45 100644
--- a/Shorewall6/manpages/shorewall6-secmarks.xml
+++ b/Shorewall6/manpages/shorewall6-secmarks.xml
@@ -226,6 +226,9 @@
Protocol - ipp2p requires
ipp2p match support in your kernel and iptables.
+
+ Beginning with Shorewall 4.5.12, this column can accept a
+ comma-separated list of protocols.
diff --git a/Shorewall6/manpages/shorewall6-stoppedrules.xml b/Shorewall6/manpages/shorewall6-stoppedrules.xml
index 813737e7c..f3250def5 100644
--- a/Shorewall6/manpages/shorewall6-stoppedrules.xml
+++ b/Shorewall6/manpages/shorewall6-stoppedrules.xml
@@ -92,10 +92,13 @@
PROTO (Optional) ‒
- protocol-name-or-number
+ protocol-name-or-number[,...]
Protocol.
+
+ Beginning with Shorewall 4.5.12, this column can accept a
+ comma-separated list of protocols.
diff --git a/Shorewall6/manpages/shorewall6-tcfilters.xml b/Shorewall6/manpages/shorewall6-tcfilters.xml
index a6a405f68..c2b5ee9ae 100644
--- a/Shorewall6/manpages/shorewall6-tcfilters.xml
+++ b/Shorewall6/manpages/shorewall6-tcfilters.xml
@@ -101,11 +101,14 @@
PROTO - {-|protocol-number|protocol-name|all}
+ role="bold">-|{protocol-number|protocol-name|all}[,...]}
Protocol.
+
+ Beginning with Shorewall 4.5.12, this column can accept a
+ comma-separated list of protocols.
@@ -317,6 +320,6 @@
http://shorewall.net/PacketMarking.html
-
+
diff --git a/Shorewall6/manpages/shorewall6-tcpri.xml b/Shorewall6/manpages/shorewall6-tcpri.xml
index f8e2f5edf..143aa89f4 100644
--- a/Shorewall6/manpages/shorewall6-tcpri.xml
+++ b/Shorewall6/manpages/shorewall6-tcpri.xml
@@ -72,11 +72,14 @@
PROTO -
- protocol
+ protocol[,...]
Optional. The name or number of an IPv4
protocol.
+
+ Beginning with Shorewall 4.5.12, this column can accept a
+ comma-separated list of protocols.
@@ -149,10 +152,10 @@
PRIO(8), shorewall6(8), shorewall6-accounting(5),
shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5),
- shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
- shorewall6-providers(5), shorewall6-rtrules(5),
- shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
- shorewall6-tcinterfaces(5), shorewall6-tos(5), shorewall6-tunnels(5),
- shorewall6-zones(5)
+ shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5),
+ shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
+ shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+ shorewall6-secmarks(5), shorewall6-tcinterfaces(5), shorewall6-tos(5),
+ shorewall6-tunnels(5), shorewall6-zones(5)
diff --git a/Shorewall6/manpages/shorewall6-tcrules.xml b/Shorewall6/manpages/shorewall6-tcrules.xml
index 3213c8ba3..c545b3695 100644
--- a/Shorewall6/manpages/shorewall6-tcrules.xml
+++ b/Shorewall6/manpages/shorewall6-tcrules.xml
@@ -753,15 +753,18 @@ Normal-Service => 0x00
PROTO - {-|tcp:syn|{tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
+ role="bold">all}[,...]}
Protocol - ipp2p requires
ipp2p match support in your kernel and ip6tables.
+
+ Beginning with Shorewall 4.5.12, this column can accept a
+ comma-separated list of protocols.