diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index d263b5787..a7dab5393 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -307,6 +307,9 @@
that were active when Shorewall stopped continue to work and
all new connections from the firewall system itself are
allowed.
+
+ Note that the routestopped file is not supported in
+ Shorewall 5.0 and later versions.
@@ -481,8 +484,8 @@
ALL sends all packets through the blacklist chains.
- Note: The ESTABLISHED state may not be specified if FASTACCEPT
- is specified.
+ Note: The ESTABLISHED state may not be specified if
+ FASTACCEPT=Yes is specified.
@@ -577,13 +580,14 @@
If this option is set to No
then Shorewall won't clear the current traffic control rules during
- [re]start. This setting is intended for use by people who prefer to
- configure traffic shaping when the network interfaces come up rather
- than when the firewall is started. If that is what you want to do,
- set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
- /etc/shorewall/tcstart file. That way, your traffic shaping rules
- can still use the “fwmark” classifier based on packet marking
- defined in re]start or
+ reload. This setting is intended for use by
+ people who prefer to configure traffic shaping when the network
+ interfaces come up rather than when the firewall is started. If that
+ is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
+ not supply an /etc/shorewall/tcstart file. That way, your traffic
+ shaping rules can still use the “fwmark” classifier based on packet
+ marking defined in shorewall-tcrules(5).
If not specified, CLEAR_TC=Yes is assumed.
@@ -677,8 +681,8 @@
If set to Yes (the default value), entries in the
- /etc/shorewall/route_stopped files cause an 'ip rule del' command to
- be generated in addition to an 'ip rule add' command. Setting this
+ /etc/shorewall/rtrules files cause an 'ip rule del' command to be
+ generated in addition to an 'ip rule add' command. Setting this
option to No, causes the 'ip rule del' command to be omitted.
@@ -829,7 +833,7 @@ net all DROP infothen the chain name is 'net-all'
helpers file from the administrative system into the script. When
set to No or not specified, the compiler will not copy the modules
or helpers file from /usr/share/shorewall but
- will copy the found in another location on the CONFIG_PATH.
+ will copy those found in another location on the CONFIG_PATH.
When compiling for direct use by Shorewall, causes the
contents of the local module or helpers file to be copied into the
@@ -863,7 +867,7 @@ net all DROP infothen the chain name is 'net-all'
role="bold">Yes|No}
- Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
+ Added in Shorewall 4.4.11. Traditionally, Shorewall has
cleared the packet mark in the first rule in the mangle FORWARD
chain. This behavior is maintained with the default setting of this
option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
@@ -2194,18 +2198,18 @@ LOG:info:,bar net fw
#TARGET SOURCE DEST PROTO
Broadcast(DROP) - - -
DROP - - 2
-INLINE - - 6 ; -j REJECT --reject-with tcp-reset
+INLINE - - 6 ;; -j REJECT --reject-with tcp-reset
?if __ENHANCED_REJECT
-INLINE - - 17 ; -j REJECT
+INLINE - - 17 ;; -j REJECT
?if __IPV4
-INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
-INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
+INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable
+INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited
?else
-INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
-INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
+INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable
+INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited
?endif
?else
-INLINE - - - ; -j REJECT
+INLINE - - - ;; -j REJECT
?endif
@@ -2275,7 +2279,7 @@ INLINE - - - ; -j REJECT
restored unconditionally at the top of the mangle OUTPUT and
PREROUTING chains, even if the saved mark is zero. When this option
is set to No, the mark is restored
- even when it is zero. If you have problems with IPSEC ESP packets
+ only if it is non-zero. If you have problems with IPSEC ESP packets
not being routed correctly on output, try setting this option to
No.
@@ -2451,10 +2455,9 @@ INLINE - - - ; -j REJECT
This option is used to specify the shell program to be used to
- run the Shorewall compiler and to interpret the compiled script. If
- not specified or specified as a null value, /bin/sh is assumed.
- Using a light-weight shell such as ash or dash can significantly
- improve performance.
+ interpret the compiled script. If not specified or specified as a
+ null value, /bin/sh is assumed. Using a light-weight shell such as
+ ash or dash can significantly improve performance.
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index 2d8afb7fe..2789b656c 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -239,6 +239,9 @@
that were active when Shorewall stopped continue to work and
all new connections from the firewall system itself are
allowed.
+
+ Note that the routestopped file is not supported in
+ Shorewall 5.0 and later versions.
@@ -497,13 +500,14 @@
If this option is set to No
then Shorewall6 won't clear the current traffic control rules during
- [re]start. This setting is intended for use by people that prefer to
- configure traffic shaping when the network interfaces come up rather
- than when the firewall is started. If that is what you want to do,
- set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
- /etc/shorewall6/tcstart file. That way, your traffic shaping rules
- can still use the “fwmark” classifier based on packet marking
- defined in re]start or
+ reload. This setting is intended for use by
+ people that prefer to configure traffic shaping when the network
+ interfaces come up rather than when the firewall is started. If that
+ is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
+ not supply an /etc/shorewall6/tcstart file. That way, your traffic
+ shaping rules can still use the “fwmark” classifier based on packet
+ marking defined in shorewall6-tcrules(5).
If not specified, CLEAR_TC=No is assumed.
@@ -604,10 +608,9 @@
If set to Yes (the default value), entries in the
- /etc/shorewall6/route_stopped files cause an 'ip rule del' command
- to be generated in addition to an 'ip rule add' command. Setting
- this option to No, causes the 'ip rule del' command to be
- omitted.
+ /etc/shorewall6/rtrules file cause an 'ip rule del' command to be
+ generated in addition to an 'ip rule add' command. Setting this
+ option to No, causes the 'ip rule del' command to be omitted.
@@ -691,7 +694,7 @@ net all DROP infothen the chain name is 'net-all'
helpers file from the administrative system into the script. When
set to No or not specified, the compiler will not copy the modules
or helpers file from /usr/share/shorewall6 but
- will copy the found in another location on the CONFIG_PATH.
+ will copy those found in another location on the CONFIG_PATH.
When compiling for direct use by Shorewall6, causes the
contents of the local module or helpers file to be copied into the
@@ -725,7 +728,7 @@ net all DROP infothen the chain name is 'net-all'
role="bold">Yes|No}
- Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
+ Added in Shorewall 4.4.11. Traditionally, Shorewall has
cleared the packet mark in the first rule in the mangle FORWARD
chain. This behavior is maintained with the default setting of this
option (FORWARD_CLEAR_MARK=Yes). If FORWARD_CLEAR_MARK is set to
@@ -1922,18 +1925,18 @@ LOG:info:,bar net fw
#TARGET SOURCE DEST PROTO
Broadcast(DROP) - - -
DROP - - 2
-INLINE - - 6 ; -j REJECT --reject-with tcp-reset
+INLINE - - 6 ;; -j REJECT --reject-with tcp-reset
?if __ENHANCED_REJECT
-INLINE - - 17 ; -j REJECT
+INLINE - - 17 ;; -j REJECT
?if __IPV4
-INLINE - - 1 ; -j REJECT --reject-with icmp-host-unreachable
-INLINE - - - ; -j REJECT --reject-with icmp-host-prohibited
+INLINE - - 1 ;; -j REJECT --reject-with icmp-host-unreachable
+INLINE - - - ;; -j REJECT --reject-with icmp-host-prohibited
?else
-INLINE - - 58 ; -j REJECT --reject-with icmp6-addr-unreachable
-INLINE - - - ; -j REJECT --reject-with icmp6-adm-prohibited
+INLINE - - 58 ;; -j REJECT --reject-with icmp6-addr-unreachable
+INLINE - - - ;; -j REJECT --reject-with icmp6-adm-prohibited
?endif
?else
-INLINE - - - ; -j REJECT
+INLINE - - - ;; -j REJECT
?endif
@@ -1982,7 +1985,7 @@ INLINE - - - ; -j REJECT
restored unconditionally at the top of the mangle OUTPUT and
PREROUTING chains, even if the saved mark is zero. When this option
is set to No, the mark is restored
- even when it is zero. If you have problems with IPSEC ESP packets
+ only if it is non-zero. If you have problems with IPSEC ESP packets
not being routed correctly on output, try setting this option to
No.