More documentation cleanup for 4.4

docs/Multiple_Zones.xml

@@ -209,13 +209,13 @@ loc1:loc    ipv4</programlisting>
 
         <para><filename>/etc/shorewall/interfaces</filename></para>
 
-        <programlisting>#ZONE               INTERFACE           BROADCAST
-loc                 eth1                192.168.1.255</programlisting>
+        <programlisting>#ZONE               INTERFACE           BROADCAST               OPTIONS
+loc                 eth1                -</programlisting>
 
         <para><filename>/etc/shorewall/hosts</filename></para>
 
-        <programlisting>#ZONE               HOSTS
-loc1                eth1:192.168.2.0/24</programlisting>
+        <programlisting>#ZONE               HOSTS                        OPTIONS
+loc1                eth1:192.168.2.0/24          -</programlisting>
 
         <para>If you don't need Shorewall to set up infrastructure to route
         traffic between <quote>loc</quote> and <quote>loc1</quote>, add these
@@ -248,13 +248,14 @@ loc2        ipv4</programlisting>
         <para><filename>/etc/shorewall/interfaces</filename></para>
 
         <programlisting>#ZONE               INTERFACE           BROADCAST
--                   eth1                192.168.1.255</programlisting>
+-                   eth1                192.168.1.255
+</programlisting>
 
         <para><filename>/etc/shorewall/hosts</filename></para>
 
-        <programlisting>#ZONE               HOSTS
-loc1                eth1:192.168.1.0/24
-loc2                eth1:192.168.2.0/24</programlisting>
+        <programlisting>#ZONE               HOSTS                    OPTIONS
+loc1                eth1:192.168.1.0/24      -
+loc2                eth1:192.168.2.0/24      -</programlisting>
 
         <para>You don't need Shorewall to set up infrastructure to route
         traffic between <quote>loc</quote> and <quote>loc1</quote>, so add
@@ -287,10 +288,18 @@ loc1:loc    ipv4</programlisting>
     <para><filename>/etc/shorewall/interfaces</filename></para>
 
     <programlisting>#ZONE               INTERFACE           BROADCAST
-loc                 eth1                192.168.1.255</programlisting>
+loc                 eth1                -</programlisting>
 
-    <para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE               HOSTS
-loc1                eth1:192.168.1.8/29</programlisting></para>
+    <para><filename>/etc/shorewall/hosts</filename><programlisting>#ZONE               HOSTS                  OPTIONS
+loc1                eth1:192.168.1.8/29    broadcast</programlisting></para>
+
+    <para>The <option>broadcast</option> option causes limited broadcasts
+    (destination IP address 255.255.255.255) to be checked against the loc1
+    zone. If that zone allows the packet, then of course it will be seen by
+    the mempers of loc that are outside of loc1 as well. If the broadcast is
+    not specifically DROPped by the fw-&gt;loc1 rules then it will also be
+    checked against the fw-&gt;loc rules, even if there is a DROP or REJECT
+    fw-&gt;loc1 policy.</para>
 
     <para>You probably don't want Shorewall to set up infrastructure to route
     traffic between <quote>loc</quote> and <quote>loc1</quote> so you should

docs/shorewall_extension_scripts.xml

@@ -500,7 +500,7 @@ esac</programlisting><caution>
           the table name</member>
         </simplelist></para>
 
-      <para>To add a rule to the chain:<programlisting>add_rule( $chainref, &lt;<emphasis>the rule</emphasis>&gt; );</programlisting>Where<simplelist>
+      <para>To add a rule to the chain:<programlisting>add_rule( $chainref, &lt;<emphasis>the rule</emphasis>&gt; [ , &lt;<emphasis>break lists</emphasis>&gt; ] );</programlisting>Where<simplelist>
           <member>&lt;<emphasis>the rule</emphasis>&gt; is a scalar argument
           holding the rule text. Do not include "-A &lt;<emphasis>chain
           name</emphasis>&gt;"</member>
@@ -508,14 +508,16 @@ esac</programlisting><caution>
 
       <para>The add_rule() function accepts an optional third argument; If
       that argument evaluates to true and the passed rule contains a <emphasis
-      role="bold">--dports</emphasis> list with more than 15 ports (a port
+      role="bold">--dports</emphasis> or <emphasis
+      role="bold">--sports</emphasis> list with more than 15 ports (a port
       range counts as two ports), the rule will be split into multiple rules
       where each resulting rule has 15 or fewer ports in its <emphasis
-      role="bold">--dports</emphasis> list.</para>
+      role="bold">--dports</emphasis> and <emphasis
+      role="bold">--sports</emphasis> lists.</para>
 
       <para>To insert a rule into the chain:<programlisting> insert_rule( $chainref, &lt;<emphasis>rulenum</emphasis>&gt;, &lt;<emphasis>the rule</emphasis>&gt; );</programlisting>The
       <emphasis role="bold">log_rule_limit()</emphasis> function works like it
-      does in the shell compiler with three exceptions:<itemizedlist>
+      did in the shell compiler with three exceptions:<itemizedlist>
           <listitem>
             <para>You pass the chain reference rather than the name of the
             chain.</para>
@@ -531,14 +533,14 @@ esac</programlisting><caution>
             you must quote that part).</para>
           </listitem>
         </itemizedlist>Example:<programlisting>log_rule_limit(
-               'info' , 
-               $chainref ,            
-               $chainref-&gt;{name},
-               'DROP' , 
-               '',      #Limit
-               '' ,     #Log tag
-               'add',   #Command
-               '-p tcp' #Pass as-is
+               'info' ,             #Log Level
+               $chainref ,          #Chain to add the rule to
+               $chainref-&gt;{name},   #Name of the chain as it will appear in the log prefix
+               'DROP' ,             #Disposition of the packet
+               '',                  #Limit
+               '' ,                 #Log tag
+               'add',               #Command
+               '-p tcp'             #Added to the rule as-is
                );</programlisting>Note that in the 'initdone' script, there is
       no default chain (<emphasis role="bold">$chainref</emphasis>). You can
       obtain a reference to a standard chain by:<programlisting>my $chainref = $chain_table{&lt;<emphasis>table</emphasis>&gt;}{&lt;<emphasis>chain name</emphasis>&gt;};</programlisting>Example:<programlisting>my $chainref = $chain_table{filter}{INPUT};</programlisting></para>

manpages/shorewall-hosts.xml

@@ -191,13 +191,12 @@
             </varlistentry>
 
             <varlistentry>
-              <term>broadcast</term>
+              <term><emphasis role="bold">broadcast</emphasis></term>
 
               <listitem>
-                <para>(Only supported by Shorewall-perl). Used when you want
-                to include limited broadcasts (destination IP address
-                255.255.255.255) from the firewall to this zone. Only
-                necessary when:</para>
+                <para>Used when you want to include limited broadcasts
+                (destination IP address 255.255.255.255) from the firewall to
+                this zone. Only necessary when:</para>
 
                 <orderedlist>
                   <listitem>
@@ -215,13 +214,13 @@
             </varlistentry>
 
             <varlistentry>
-              <term>destonly</term>
+              <term><emphasis role="bold">destonly</emphasis></term>
 
               <listitem>
-                <para>(Only supported by Shorewall-perl). Normally used with
-                the Multi-cast IP address range (224.0.0.0/4). Specifies that
-                traffic will be sent to the specified net(s) but that no
-                traffic will be received from the net(s).</para>
+                <para>Normally used with the Multi-cast IP address range
+                (224.0.0.0/4). Specifies that traffic will be sent to the
+                specified net(s) but that no traffic will be received from the
+                net(s).</para>
               </listitem>
             </varlistentry>
           </variablelist>