From 611c33e05290071140aab752897b3cf432fb87d5 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Thu, 23 Sep 2010 11:31:56 -0700
Subject: [PATCH] Add rule order warning to secmark manpages

---
 manpages/shorewall-secmarks.xml   | 23 ++++++++++++++++-------
 manpages6/shorewall6-secmarks.xml |  8 ++++++++
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/manpages/shorewall-secmarks.xml b/manpages/shorewall-secmarks.xml
index de34a4bba..30b24c60d 100644
--- a/manpages/shorewall-secmarks.xml
+++ b/manpages/shorewall-secmarks.xml
@@ -23,6 +23,14 @@
   <refsect1>
     <title>Description</title>
 
+    <important>
+      <para>Unlike rules in the <ulink
+      url="shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
+      of rules in this file will continue after a match. So the final secmark
+      for each packet will be the one assigned by the LAST rule that
+      matches.</para>
+    </important>
+
     <para>The secmarks file is used to associate an SELinux context with
     packets. It was added in Shorewall version 4.4.13.</para>
 
@@ -376,12 +384,13 @@ RESTORE                               I:ER</programlisting>
     url="http://james-morris.livejournal.com/11010.html">http://james-morris.livejournal.com/11010.html</ulink></para>
 
     <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>
diff --git a/manpages6/shorewall6-secmarks.xml b/manpages6/shorewall6-secmarks.xml
index 2934fe570..f580069d7 100644
--- a/manpages6/shorewall6-secmarks.xml
+++ b/manpages6/shorewall6-secmarks.xml
@@ -23,6 +23,14 @@
   <refsect1>
     <title>Description</title>
 
+    <important>
+      <para>Unlike rules in the <ulink
+      url="shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
+      of rules in this file will continue after a match. So the final secmark
+      for each packet will be the one assigned by the LAST rule that
+      matches.</para>
+    </important>
+
     <para>The secmarks file is used to associate an SELinux context with
     packets. It was added in Shorewall6 version 4.4.13.</para>