From 4d23ec2c486e26229286c1b85e52796cd8991fa3 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 3 May 2012 10:07:36 -0700 Subject: [PATCH] Belatedly document FORMAT-2 interfaces Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall-interfaces.xml | 73 ++++++++++++++----- Shorewall6/manpages/shorewall6-interfaces.xml | 39 +++++++++- 2 files changed, 89 insertions(+), 23 deletions(-) diff --git a/Shorewall/manpages/shorewall-interfaces.xml b/Shorewall/manpages/shorewall-interfaces.xml index a7802ce62..2b0237d42 100644 --- a/Shorewall/manpages/shorewall-interfaces.xml +++ b/Shorewall/manpages/shorewall-interfaces.xml @@ -27,6 +27,34 @@ interfaces to Shorewall. The order of entries in this file is not significant in determining zone composition. + Beginning with Shorewall 4.5.3, the interfaces file supports two + different formats: + + + + FORMAT 1 (default - deprecated) + + + There is a BROADCAST column which can be used to specify the + broadcast address associated with the interface. + + + + + FORMAT 2 + + + The BROADCAST column is omitted. + + + + + The format is specified by a line as follows: + +
+ FORMAT {1|2} +
+ The columns in the file are as follows. @@ -128,6 +156,8 @@ loc eth2 - role="bold">detect|address[,address]...} + Only available if FORMAT 1. + If you use the special value detect, Shorewall will detect the broadcast address(es) for you if your iptables and kernel include Address Type @@ -172,7 +202,7 @@ loc eth2 - changed; the value assigned to the setting will be the value specified (if any) or 1 if no value is given. - + This option does not work with a wild-card @@ -206,7 +236,7 @@ loc eth2 - 8 - do not reply for all local addresses - + This option does not work with a wild-card @@ -214,7 +244,7 @@ loc eth2 - the INTERFACE column. - + Do not specify 1 teastep@lists:~$ - + This option does not work with a wild-card @@ -629,7 +659,7 @@ loc eth2 - changed; the value assigned to the setting will be the value specified (if any) or 1 if no value is given. - + This option does not work with a wild-card @@ -705,11 +735,14 @@ loc eth2 - connected to your local network and that your local subnet is 192.168.1.0/24. The interface gets its IP address via DHCP from subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24 - using eth2. + using eth2. Your iptables and/or kernel do not support "Address Type + Match" and you prefer to specify broadcast addresses explicitly + rather than having Shorewall detect them. Your entries for this setup would look like: - #ZONE INTERFACE BROADCAST OPTIONS + FORMAT 1 +#ZONE INTERFACE BROADCAST OPTIONS net eth0 206.191.149.223 dhcp loc eth1 192.168.1.255 dmz eth2 192.168.2.255 @@ -723,10 +756,11 @@ dmz eth2 192.168.2.255 The same configuration without specifying broadcast addresses is: - #ZONE INTERFACE BROADCAST OPTIONS -net eth0 detect dhcp -loc eth1 detect -dmz eth2 detect + FORMAT 2 +#ZONE INTERFACE OPTIONS +net eth0 dhcp +loc eth1 +dmz eth2 @@ -737,7 +771,8 @@ dmz eth2 detect You have a simple dial-in system with no ethernet connections. - #ZONE INTERFACE BROADCAST OPTIONS + FORMAT 2 +#ZONE INTERFACE OPTIONS net ppp0 - @@ -749,8 +784,9 @@ net ppp0 - You have a bridge with no IP address and you want to allow traffic through the bridge. - #ZONE INTERFACE BROADCAST OPTIONS -- br0 - routeback + FORMAT 2 +#ZONE INTERFACE OPTIONS +- br0 routeback @@ -772,10 +808,9 @@ net ppp0 - shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), - shorewall-proxyarp(5), shorewall-rtrules(5), - shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), - shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), - shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), - shorewall-zones(5) + shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), + shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), + shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), + shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5) diff --git a/Shorewall6/manpages/shorewall6-interfaces.xml b/Shorewall6/manpages/shorewall6-interfaces.xml index 526a31295..4ebe35b85 100644 --- a/Shorewall6/manpages/shorewall6-interfaces.xml +++ b/Shorewall6/manpages/shorewall6-interfaces.xml @@ -27,6 +27,34 @@ interfaces to shorewall6. The order of entries in this file is not significant in determining zone composition. + Beginning with Shorewall 4.5.3, the interfaces file supports two + different formats: + + + + FORMAT 1 (default - deprecated) + + + There is a ANYCAST column which provides compatibility with + older versions of Shorewall.. + + + + + FORMAT 2 + + + The BROADCAST column is omitted. + + + + + The format is specified by a line as follows: + +
+ FORMAT {1|2} +
+ The columns in the file are as follows. @@ -101,7 +129,8 @@ loc eth2 - Enter '-' in this column. It - is here for compatibility between Shorewall6 and Shorewall. + is here for compatibility between Shorewall6 and Shorewall and is + omitted if FORMAT is 2. @@ -438,7 +467,8 @@ loc eth2 - Your entries for this setup would look like: - #ZONE INTERFACE UNICAST OPTIONS + FORMAT 2 +#ZONE INTERFACE OPTIONS net eth0 - loc eth1 - dmz eth2 - @@ -452,8 +482,9 @@ dmz eth2 - You have a bridge with no IP address and you want to allow traffic through the bridge. - #ZONE INTERFACE BROADCAST OPTIONS -- br0 - routeback + FORMAT 2 +#ZONE INTERFACE OPTIONS +- br0 routeback