From 5ae3e239e6b60948b043014020ca1eef990d4949 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 16 Jan 2010 11:51:32 -0800 Subject: [PATCH] Update manpages for functionality backported from 4.5 Signed-off-by: Tom Eastep --- manpages/shorewall.conf.xml | 148 ++++++++++++++++++++---- manpages6/shorewall6.conf.xml | 206 +++++++++++++++++++--------------- 2 files changed, 241 insertions(+), 113 deletions(-) diff --git a/manpages/shorewall.conf.xml b/manpages/shorewall.conf.xml index ddda6fdda..9c6ef27b5 100644 --- a/manpages/shorewall.conf.xml +++ b/manpages/shorewall.conf.xml @@ -169,6 +169,19 @@ + + ACCOUNTING=[Yes|No] + + + Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting + is enabled (see shorewall-accounting(5)). If + not specified or set to the empty value, ACCOUNTING=Yes is + assumed. + + + ADD_IP_ALIASES=[Yes|No] @@ -462,20 +475,21 @@ role="bold">DONT_LOAD=[module[,module]...] - Added in Shorewall-4.0.6. Causes Shorewall to not load the - listed modules. + Causes Shorewall to not load the listed kernel modules. - DYNAMIC_ZONES={DYNAMIC_BLACKLIST={Yes|No} - When set to Yes or yes, enables dynamic zones. DYNAMIC_ZONES=Yes - is not allowed in configurations that will run under Shorewall - Lite. + Added in Shorewall 4.4.7. When set to No or no, + dynamic blacklisting using the shorewall drop, + shorewall reject, shorewall + logdrop and shorewall logreject is + disabled. Default is Yes. @@ -1141,24 +1155,116 @@ net all DROP infothen the chain name is 'net2all' - OPTIMIZE=[0|1] + OPTIMIZE=[value] - Traditionally, Shorewall has created rules for the complete matrix of host - groups defined by the zones, interfaces and hosts files. Any - traffic that didn't correspond to an element of that matrix was - rejected in one of the built-in chains. When the matrix is sparse, - this results in lots of largely useless rules. + The specified value enables certain + optimizations. Each optimization category is associated with a power + of two. To enable multiple optimization categories, simply add their + corresponding numbers together. - These extra rules can be eliminated by setting - OPTIMIZE=1. + + + Optimization category 1 - Traditionally, Shorewall has + created rules for the complete matrix of + host groups defined by the zones, interfaces and hosts + files. Any traffic that didn't correspond to an element + of that matrix was rejected in one of the built-in chains. When + the matrix is sparse, this results in lots of largely useless + rules. - The OPTIMIZE setting also controls the suppression of - redundant wildcard rules (those specifying "all" in the SOURCE or - DEST column). A wildcard rule is considered to be redundant when it - has the same ACTION and Log Level as the applicable policy. + These extra rules can be eliminated by setting the 1 bit + in OPTIMIZE. + + The 1 bit setting also controls the suppression of + redundant wildcard rules (those specifying "all" in the SOURCE + or DEST column). A wildcard rule is considered to be redundant + when it has the same ACTION and Log Level as the applicable + policy. + + + + Optimization category 2 - Added in Shorewall 4.4.7. When + set, suppresses superfluous ACCEPT rules in a policy chain that + implements an ACCEPT policy. Any ACCEPT rules that immediately + preceed the final blanket ACCEPT rule in the chain are now + omitted. + + + + Optimization category 4 - Added in Shorewall 4.4.7. When + set, causes short chains (those with less than 2 rules) to be + optimized away. The following chains are excluded from + optimization: + + + + accounting chains (unless + OPTIMIZE_ACCOUNTING=Yes) + + + + action chains (user-defined) + + + + dynamic + + + + forwardUPnP + + + + UPnP (nat table) + + + + Additionally: + + + + If a built-in chain has a single rule that branches to + a second chain, then the rules from the second chain are + moved to the built-in chain and the target chain is + omitted. + + + + Chains with no references are deleted. + + + + Accounting chains are subject to optimization if the + OPTIMIZE_ACCOUNTING option is set to 'Yes'. + + + + If a chain ends with an unconditional branch to a + second chain (other than to 'reject'), then the branch is + deleted from the first chain and the rules from the second + chain are appended to it. + + + + + + The default value is zero which disables all + optimizations. + + + + + OPTIMIZE_ACCOUNTING=[Yes|No] + + + Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting + changes are subject to optimization (OPTIMIZE=4,5,6 or 7). If not + specified or set to the empty value, OPTIMIZE_ACCOUNTING=No is + assumed. diff --git a/manpages6/shorewall6.conf.xml b/manpages6/shorewall6.conf.xml index f4f5ac6bd..ffa08fa45 100644 --- a/manpages6/shorewall6.conf.xml +++ b/manpages6/shorewall6.conf.xml @@ -172,7 +172,7 @@ role="bold">Yes|No] - Added in Shorewall 4.5.0. If set to Yes, Shorewall6 accounting + Added in Shorewall 4.4.7. If set to Yes, Shorewall6 accounting is enabled (see shorewall6-accounting(5)). If not specified or set to the empty value, ACCOUNTING=Yes is @@ -396,6 +396,20 @@ + + DYNAMIC_BLACKLIST={Yes|No} + + + Added in Shorewall 4.4.7. When set to No or no, + dynamic blacklisting using the shorewall6 drop, + shorewall6 reject, shorewall6 + logdrop and shorewall6 logreject is + disabled. Default is Yes. + + + EXPAND_POLICIES={Yes|No} @@ -882,24 +896,6 @@ net all DROP infothen the chain name is 'net2all' - - MASK_BITS=bits - - - Added in Shorewall 4.5.0. This option specifies the number of - bits to use as a mask for traffic shaping marks - and must be greater than or equal to TC_BITS. The default value - depends on the setting of WIDE_TC_MARKS: - - - WIDE_TC_MARKS=No - 8 bits. - - WIDE_TC_MARKS=Yes - 16 bits. - - - - MODULE_SUFFIX=["extension ...then the chain name is 'net2all' - OPTIMIZE=[0|1] + OPTIMIZE=[value] - Traditionally, Shorewall6 has created rules for the complete matrix of host - groups defined by the zones, interfaces and hosts files. Any - traffic that didn't correspond to an element of that matrix was - rejected in one of the built-in chains. When the matrix is sparse, - this results in lots of largely useless rules. + The specified value enables certain + optimizations. Each optimization category is associated with a power + of two. To enable multiple optimization categories, simply add their + corresponding numbers together. - These extra rules can be eliminated by setting - OPTIMIZE=1. + + + Optimization category 1 - Traditionally, Shorewall has + created rules for the complete matrix of + host groups defined by the zones, interfaces and hosts + files. Any traffic that didn't correspond to an element + of that matrix was rejected in one of the built-in chains. When + the matrix is sparse, this results in lots of largely useless + rules. - The OPTIMIZE setting also controls the suppression of - redundant wildcard rules (those specifying "all" in the SOURCE or - DEST column). A wildcard rule is considered to be redundant when it - has the same ACTION and Log Level as the applicable policy. + These extra rules can be eliminated by setting the 1 bit + in OPTIMIZE. + + The 1 bit setting also controls the suppression of + redundant wildcard rules (those specifying "all" in the SOURCE + or DEST column). A wildcard rule is considered to be redundant + when it has the same ACTION and Log Level as the applicable + policy. + + + + Optimization category 2 - Added in Shorewall 4.4.7. When + set, suppresses superfluous ACCEPT rules in a policy chain that + implements an ACCEPT policy. Any ACCEPT rules that immediately + preceed the final blanket ACCEPT rule in the chain are now + omitted. + + + + Optimization category 4 - Added in Shorewall 4.4.7. When + set, causes short chains (those with less than 2 rules) to be + optimized away. The following chains are excluded from + optimization: + + + + accounting chains (unless + OPTIMIZE_ACCOUNTING=Yes) + + + + action chains (user-defined) + + + + dynamic + + + + Additionally: + + + + If a built-in chain has a single rule that branches to + a second chain, then the rules from the second chain are + moved to the built-in chain and the target chain is + omitted. + + + + Chains with no references are deleted. + + + + Accounting chains are subject to optimization if the + OPTIMIZE_ACCOUNTING option is set to 'Yes'. + + + + If a chain ends with an unconditional branch to a + second chain (other than to 'reject'), then the branch is + deleted from the first chain and the rules from the second + chain are appended to it. + + + + + + The default value is zero which disables all + optimizations. + + + + + OPTIMIZE_ACCOUNTING=[Yes|No] + + + Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting + changes are subject to optimization (OPTIMIZE=4,5,6 or 7). If not + specified or set to the empty value, OPTIMIZE_ACCOUNTING=No is + assumed. @@ -979,42 +1059,6 @@ net all DROP infothen the chain name is 'net2all' - - PROVIDER_BITS=bits - - - Added in Shorewall 4.5.0. Specifies the number of bits of the - packet/connection mark to use for the provider (routing) mark. - Provider mark values must be >= 2**PROVIDER_OFFSET and less than - 2**(PROVIDER_OFFSET + PROVIDER_BITS). The default value is 8 - bits. - - - - - PROVIDER_OFFSET=offset - - - Added in Shorewall 4.5.0. Specifies the - offset in bits from the least significate bit - of the packet/connection mark where the Provider Mark value is - stored. The default is based on the settings of HIGH_ROUTE_MARKS and - WIDE_TC_MARKS: - - - HIGH_ROUTE_MARKS=No - 0 bits. - - HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=No - 8 - bits. - - HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes - 16 - bits. - - - - RCP_COMMAND="commandthen the chain name is 'net2all' - - TC_BITS=bits - - - Added in Shorewall 4.5.0. This option replaces WIDE_TC_MARKS - by allowing you to specify the number of bits - of the 32-bit packet/connection mark to be used for traffic shaping. - The default value is based on the settings of WIDE_TC_MARKS: - - - WIDE_TC_MARKS=No - 8 bits. - - WIDE_TC_MARKS=Yes - 14 bits. - - - Mark values specified in shorewall6-tcclasses (5) - must be < 2**TC_BITS. - - - TC_ENABLED=[Yes|then the chain name is 'net2all' role="bold">TC_PRIOMAP=map - Added in Shorewall 4.5.0. Determines the mapping of a packet's + Added in Shorewall 4.4.6. Determines the mapping of a packet's TOS field to priority bands. See shorewall6-tcpri(5). The map consists of 16 space-separated digits with