diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml
index 0cf191165..860beb686 100644
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -941,6 +941,11 @@ Shorewall has detected the following iptables/netfilter capabilities:
been eliminated and the Shorewall-perl compiler uses Perl's interfaces
to getprotobyname(3posix) and getservbyname(3posix).
+
+ Also, unless otherwise documented, a protocol number/name can be
+ preceded by '!' to specify "All protocols except this one" (e.g., "!tcp").
+ Shorewall-perl support for that feature was added in Shorewall
+ 4.2.6.
@@ -956,6 +961,11 @@ DNAT net loc:192.168.1.3 tcp 4000:4100
If you omit the low port number, a value of zero is assumed; if you
omit the high port number, a value of 65535 is assumed.
+
+ Also, unless otherwise documented, a port range can be preceded by
+ '!' to specify "All ports except those in this range" (e.g.,
+ "!4000:4100"). Shorewall-perl support for that feature was added in
+ Shorewall 4.2.6.
@@ -993,6 +1003,10 @@ DNAT net loc:192.168.1.3 tcp 4000:4100
versions earlier than 4.0.5 will never break a list longer than 15 ports
(with each range counting as two ports) into smaller lists.
+
+ Also, unless otherwise documented, a port list can be preceded by
+ '!' to specify "All ports except these" (e.g., "!80,443"). Shorewall-perl
+ support for that feature was added in Shorewall 4.2.6.
diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml
index 47f33ab22..39bbfda6b 100644
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -686,7 +686,10 @@ ppp0 6000kbit 500kbit
The "T" qualifier was added in Shorewall version 3.3.6 and
- is not available in earlier versions.
+ is not available in earlier versions. Use
+ this qualifier if you want the rule to apply equally to traffic
+ being routed through the firewall and to traffic originating on
+ the firewall itself.
Normally, the mark is applied to the packet. If you follow the
@@ -780,35 +783,78 @@ ppp0 6000kbit 500kbit
- SOURCE - Source of the packet. A comma-separated list of
- interface names, IP addresses, MAC addresses and/or subnets for
- packets being routed through a common path. List elements may also
- consist of an interface name followed by ":" and an address (e.g.,
- eth1:192.168.1.0/24). For example, all packets for connections
- masqueraded to eth0 from other interfaces can be matched in a single
- rule with several alternative SOURCE criteria. However, a connection
- whose packets gets to eth0 in a different way, e.g., direct from the
- firewall itself, needs a different rule.
+ SOURCE - Source of the packet.
- Accordingly, use $FW in its own separate rule for packets
- originating on the firewall. In such a rule, the MARK column may NOT
- specify either ":P" or ":F" because marking for firewall-originated
- packets always occurs in the OUTPUT chain.
+ May be:
+
+
+
+ An interface name - matches traffic entering the firewall
+ on the specified interface. May not be used in classify rules or
+ in rules using the :T chain qualifier.
+
+
+
+ A comma-separated list of host or network IP addresses or
+ MAC addresses. This form will not match
+ traffic that originates on the firewall itself unless either
+ <major><minor> or the :T chain qualifier is used in
+ the MARK column.
+
+ Examples:
+ 0.0.0.0/0
+
+
+
+ 192.168.1.0/24, 172.20.4.0/24
+
+
+
+
+ An interface name followed by a colon (":") followed by a
+ comma-separated list of host or network IP addresses or MAC
+ addresses. May not be used in classify rules or in rules using
+ the :T chain qualifier.
+
+
+
+ $FW optionally followed by a colon (":") and a
+ comma-separated list of host or network IP addresses. matches
+ packets originating on the firewall. May not be used with a
+ chain qualifier (:P, :F, etc.) in the MARK column.
+
+
MAC addresses must be prefixed with "~" and use "-" as a
separator.
Example: ~00-A0-C9-15-39-78
+
+ If your kernel includes iprange match support, then address
+ ranges may be included in the address lists.
- DEST - Destination of the packet. Comma separated list of IP
- addresses and/or subnets. If your kernel and iptables include
- iprange match support, IP address ranges are also allowed. List
- elements may also consist of an interface name followed by ":" and
- an address (e.g., eth1:192.168.1.0/24). If the MARK column specifies
- a classification of the form <major>:<minor> then this
- column may also contain an interface name.
+ DEST - Destination of the packet.
+
+ May be:
+
+
+
+ An interface name. May not be used in the PREROUTING chain
+ (:P in the mark column or no chain qualifier and
+ MARK_IN_FORWARD_CHAIN=No in shorewall.conf (5)). The
+ interface name may be optionally followed by a colon (":") and
+ an IP address list.
+
+
+
+ A comma-separated list of host or network IP addresses.
+ The list may include ip address ranges if your kernel and
+ iptables include iprange support.
+
+
@@ -943,17 +989,17 @@ ppp0 6000kbit 500kbit
1 eth1 0.0.0.0/0 all
2 eth2 0.0.0.0/0 all
2 eth3 0.0.0.0/0 all
-3 $FW 0.0.0.0/0 all
+3 $FW 0.0.0.0/0 all
- All GRE (protocol 47) packets not originating on the firewall
- and destined for 155.186.235.151 should be marked with 12.
+ All GRE (protocol 47) packets destined for 155.186.235.151
+ should be marked with 12.
#MARK SOURCE DESTINATION PROTOCOL PORT(S)
-12 0.0.0.0/0 155.182.235.151 47
+12:T 0.0.0.0/0 155.182.235.151 47
@@ -963,7 +1009,7 @@ ppp0 6000kbit 500kbit
destined for 155.186.235.151 should be marked with 22.
#MARK SOURCE DESTINATION PROTOCOL PORT(S)
-22 192.168.1.0/24 155.182.235.151 tcp 22
+22:T 192.168.1.0/24 155.182.235.151 tcp 22
@@ -989,7 +1035,8 @@ ppp0 6000kbit 500kbit
ipp2p module is unable to determine all packets in a connection are
P2P packets, we mark the entire connection as P2P if any of the
packets are determined to match. We assume packet/connection mark 0 to
- means unclassified.
+ means unclassified. Traffic originating on the firewall is not covered
+ by this example.
#MARK SOURCE DESTINATION PROTOCOL PORT(S) CLIENT USER/ TEST
# PORT(S) GROUP
diff --git a/manpages/shorewall-blacklist.xml b/manpages/shorewall-blacklist.xml
index 915ee6f69..e9019230b 100644
--- a/manpages/shorewall-blacklist.xml
+++ b/manpages/shorewall-blacklist.xml
@@ -1,4 +1,6 @@
+
shorewall-blacklist
@@ -52,7 +54,7 @@
PROTOCOL (Optional) -
{-|protocol-number|protocol-name}
+ role="bold">-|[!]protocol-number|[!]protocol-name}
If specified, must be a protocol number or a protocol name
@@ -62,7 +64,7 @@
PORTS (Optional) - {-|port-name-or-number[,port-name-or-number]...}
+ role="bold">-|[!]port-name-or-number[,port-name-or-number]...}
May only be specified if the protocol is TCP (6) or UDP (17).
diff --git a/manpages/shorewall-masq.xml b/manpages/shorewall-masq.xml
index e185a4a81..82d7bb3b3 100644
--- a/manpages/shorewall-masq.xml
+++ b/manpages/shorewall-masq.xml
@@ -215,7 +215,7 @@
PROTO (Optional) - {-|protocol-name|protocol-number}
+ role="bold">-|[!]protocol-name|[!]protocol-number}
If you wish to restrict this entry to a particular protocol
@@ -226,7 +226,7 @@
PORT(S) (Optional) -
- [port-name-or-number[,port-name-or-number]...]
+ [[!]port-name-or-number[,port-name-or-number]...]
If the PROTO column specifies TCP (protocol 6) or UDP
diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml
index 66704a09d..870c8fe3c 100644
--- a/manpages/shorewall-tcrules.xml
+++ b/manpages/shorewall-tcrules.xml
@@ -256,22 +256,45 @@
role="bold">,address-or-range]...}[exclusion]
- Source of the packet. A comma-separated list of interface
- names, IP addresses, MAC addresses and/or subnets for packets being
- routed through a common path. List elements may also consist of an
- interface name followed by ":" and an address (e.g.,
- eth1:192.168.1.0/24). For example, all packets for connections
- masqueraded to eth0 from other interfaces can be matched in a single
- rule with several alternative SOURCE criteria. However, a connection
- whose packets gets to eth0 in a different way, e.g., direct from the
- firewall itself, needs a different rule.
+ May be:
- Accordingly, use $FW in its
- own separate rule for packets originating on the firewall. In such a
- rule, the MARK column may NOT specify either :P or :F
- because marking for firewall-originated packets always occurs in the
- OUTPUT chain.
+
+
+ An interface name - matches traffic entering the firewall
+ on the specified interface. May not be used in classify rules or
+ in rules using the :T chain qualifier.
+
+
+
+ A comma-separated list of host or network IP addresses or
+ MAC addresses. This form will not match
+ traffic that originates on the firewall itself unless either
+ <major><minor> or the :T chain qualifier is used in
+ the MARK column.
+
+ Examples:
+ 0.0.0.0/0
+
+
+
+ 192.168.1.0/24, 172.20.4.0/24
+
+
+
+
+ An interface name followed by a colon (":") followed by a
+ comma-separated list of host or network IP addresses or MAC
+ addresses. May not be used in classify rules or in rules using
+ the :T chain qualifier.
+
+
+
+ $FW optionally followed by a colon (":") and a
+ comma-separated list of host or network IP addresses. Matches
+ packets originating on the firewall. May not be used with a
+ chain qualifier (:P, :F, etc.) in the MARK column.
+
+
MAC addresses must be prefixed with "~" and use "-" as a
separator.
@@ -290,14 +313,24 @@
role="bold">,address-or-range]...}[exclusion]
- Destination of the packet. Comma separated list of IP
- addresses and/or subnets. If your kernel and iptables include
- iprange match support, IP address ranges are also allowed. List
- elements may also consist of an interface name followed by ":" and
- an address (e.g., eth1:192.168.1.0/24). If the MARK column specificies a classification of
- the form major:minor then
- this column may also contain an interface name.
+ May be:
+
+
+
+ An interface name. May not be used in the PREROUTING chain
+ (:P in the mark column or no chain qualifier and
+ MARK_IN_FORWARD_CHAIN=No in shorewall.conf (5)). The
+ interface name may be optionally followed by a colon (":") and
+ an IP address list.
+
+
+
+ A comma-separated list of host or network IP addresses.
+ The list may include ip address ranges if your kernel and
+ iptables include iprange support.
+
+
You may exclude certain hosts from the set already defined
through use of an exclusion (see O|R|B}[:{B|P|A}]]]
+ role="bold">A}]]]
Connection Bytes; defines a byte or packet range that the
@@ -532,8 +565,8 @@
directions.
- If omitted, B is assumed.
-
+ If omitted, B is
+ assumed.
The second letter determines what the range refers
to.
@@ -544,7 +577,7 @@
A - Average packet
size.
If omitted, B is
- assumed.
+ assumed.
@@ -564,7 +597,7 @@
Example: Mark all FTP data connections with mark
4:#MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
#CLASSIFY PORT(S)
-4 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp
+4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp
@@ -588,14 +621,14 @@
We assume packet/connection mark 0 means unclassified.
- #MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST
- #CLASSIFY PORT(S)
- 1 0.0.0.0/0 0.0.0.0/0 icmp echo-request
- 1 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
- RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0
- CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0
- 4 0.0.0.0/0 0.0.0.0/0 ipp2p:all
- SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0
+ #MARK/ SOURCE DEST PROTO PORT(S) SOURCE USER TEST
+ #CLASSIFY PORT(S)
+ 1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-request
+ 1:T 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
+ RESTORE:T 0.0.0.0/0 0.0.0.0/0 all - - - 0
+ CONTINUE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0
+ 4:T 0.0.0.0/0 0.0.0.0/0 ipp2p:all
+ SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0
If a packet hasn't been classifed (packet mark is 0), copy the
connection mark to the packet mark. If the packet mark is set, we're